The FBI is alerting Salesforce users about persistent and active threat campaigns aimed at them.

The FBI is alerting Salesforce users about persistent and active threat campaigns aimed at them.

The FBI Internet Crime Complaint Center (IC3) has issued a new advisory warning Salesforce customers of ongoing attacks by two threat groups: UNC6040 (aka ShinyHunters) and UNC6395.

🔍 UNC6040 (ShinyHunters)

• Active since Oct 2024
• Uses social engineering and vishing (voice phishing)
• Poses as IT support to trick call center employees into:
  • Sharing credentials or MFA codes
  • Installing malicious Salesforce apps disguised as Data Loader
  • Granting attackers large-scale data exfiltration access
• Victims often later receive cryptocurrency extortion demands

🔍 UNC6395

• Known for stealing OAuth tokens from Salesloft Drift Salesforce integrations
• Used stolen tokens to compromise hundreds of Salesforce environments
• Salesforce & Salesloft revoked tokens on Aug 20; Drift remains disabled until further notice

📌 What Salesforce says

• No vulnerabilities in Salesforce itself
• Campaigns are not limited to Drift integrations — other apps are impacted too

🔐 FBI Recommendations:

• Train call center employees to spot social engineering
• Require phishing-resistant MFA
• Implement authentication, authorization, and accounting (AAA) systems
• Enforce IP-based access controls
• Monitor logs & browser activity for anomalies
• Audit and secure third-party connections

⚠️ Why it matters
This warning highlights how human factors (social engineering) and third-party app integrations remain the weakest links in cloud platforms. Even without Salesforce vulnerabilities, attackers exploit trust, access tokens, and employee interactions to steal sensitive customer data.

At Alcaeus Services, we help organizations secure their cloud environments, establish robust identity controls, and minimize exposure to phishing and supply chain threats.