Stop phishing attacks on Salesforce

URL Protection is a feature of WithSecure Cloud Protection for Salesforce. It scans links across Salesforce environments for threats — including Sales Cloud, Service Cloud, Experience Cloud, and Agentforce — as well as in both standard and custom objects.

It blocks access to malicious or disallowed websites in real time, whether links appear in records, cases, community portals, chats, or automations. Protection works both when a link is first posted and again at the moment a user clicks it, ensuring newly weaponized malicious sites are caught.

It blocks phishing links and detects even sophisticated threats like newly registered domains and malicious destinations hidden with link shortenern (e.g. bit.ly, tinyurl).

(Note: Links hidden inside files or QR codes are scanned under the File Protection feature.)

No. Email filters only protect inboxes. Once a link enters Salesforce — through a record, case comment, file, or portal — email security no longer applies. Attackers know this and deliberately target Salesforce because those blind spots are often unprotected.

A single click can launch credential stealer malware, ransomware, or other malicious software. Some threats don’t even require clicks — “drive-by” downloads can trigger just by visiting a compromised page. Inside Salesforce, every file or link interaction can become a potential infection point if URLs aren’t inspected. Blocking sophisticated threats like newly registered domains and masked malicious short links is critical in phishing prevention.

Almost anywhere users can post or upload content: custom fields, standard objects and fields, case comments, community forums, email-to-case, web-to-case forms – or even Agentforce chats and workflows. These open text areas are often visible to external users. That makes Salesforce attractive as a distribution channel — attackers can reach employees through the same workflows you use to serve customers and partners. Because Salesforce integrates with so many business-critical systems, attackers use it as a distribution hub — one malicious link can spread risk into Microsoft 365, ERP, or service platforms.

Because the status of a URL can change quickly. A legitimate site today could be hijacked tomorrow. Attackers also use tricks like shortened links, freshly registered domains, or even AI-generated phishing kits to evade filters. That’s why time-of-click protection is critical: it evaluates the link as users access it, not just when it first appears.

Phishing remains the top cyberattack vector. IBM reports that 41% of attacks involve phishing, and 26% of those target public-facing applications like Salesforce. WithSecure telemetry shows that about 1% of all URLs scanned in enterprise Salesforce orgs are malicious. That may sound small, but at scale it represents thousands of dangerous links entering business workflows in an average Salesforce org in a matter of weeks. Salesforce itself has issued advisories highlighting phishing as a cyber risk.

Training helps reduce risk, but even experienced and knowledgeable people can be fooled. Attackers design phishing campaigns to look convincing and catch users off guard. Awareness is important, but security must step in when human error happens. Protecting users before they click is the responsible step.

Phishing inside Salesforce often goes unnoticed until it causes (visible) damage. Recent CRM and SaaS related incidents show how quickly attackers can steal credentials and pivot into connected systems. We’ve investigated breaches where a single phishing link in Salesforce led to stolen credentials, MFA tokens, and lateral movement into Microsoft 365. Waiting until after a breach is risky and expensive. These evergreen security mantras stay true: Prevention is always cheaper than response. You cannot protect what you do not see.

No. WithSecure™ Cloud Protection is Salesforce-native. It installs in minutes, covers standard and custom objects, and works across Sales, Service, Experience Cloud, and Agentforce. Threats are blocked automatically, with clear alerts and reporting for admins. There are ready-made dashboards and reports. You can create your custom reports, too.

It reduces noise for admins and SecOps by automatically blocking harmful links, filtering unwanted categories, and providing clear analytics. Instead of relying on users to spot every risk, security teams get real-time visibility and automated remediation. That means fewer incidents to investigate and faster response when something slips through. This is the first line of defence, acting right at the source without delay, or slowing down the business.