Back to the blog
June 5, 2025

Financially motivated threat actor targeting Salesforce instances for large-scale data theft

Google Threat Intelligence Group has identified a financially motivated threat actor conducting voice phishing campaigns aimed at breaching Salesforce instances.

The Nudge Security Team
SaaS Security Alerts

Google Threat Intelligence Group (GTIG) has identified a financially motivated threat actor, UNC6040, actively conducting sophisticated voice phishing (vishing) campaigns aimed at breaching Salesforce instances. The primary objective is large-scale data theft, followed by extortion demands.

‍

Campaign Details:

  • UNC6040 specializes in telephone-based social engineering, impersonating IT support personnel.
  • Operators manipulate employees into granting access or sharing sensitive credentials.
  • Recent incidents predominantly affect English-speaking employees of multinational corporations.

Attack Method:

  • Threat actors trick employees into authorizing malicious "connected apps," commonly disguised as Salesforce's legitimate Data Loader tool.
  • Victims are instructed via phone to authorize the malicious connected app through Salesforce’s setup page, inadvertently granting attackers extensive access rights.
  • Attackers utilize modified versions of Salesforce's Data Loader to exfiltrate sensitive data from compromised environments.

Additional Insights:

  • UNC6040 often employs Mullvad VPN IP addresses for unauthorized access and data exfiltration.
  • Observed infrastructure includes phishing panels targeting Okta credentials.
  • Extortion demands have surfaced months after initial breaches, suggesting collaboration with secondary threat actors monetizing stolen data. Threat actors occasionally claim affiliation with the ShinyHunters hacking group to heighten pressure.

Security Recommendations:

  • Least Privilege Principle: Restrict permissions, especially the "API Enabled" permission required by tools like Data Loader.
  • Implement Connected Apps Management: Limit connected app authorization strictly to necessary administrative personnel.
  • IP-Based Restrictions: Enforce login restrictions to known, trusted enterprise IP ranges to mitigate unauthorized access.
  • Advanced Monitoring: Utilize Salesforce Shield for enhanced visibility, transaction monitoring, and real-time security policy enforcement as well as saas security posture management solution.
  • Multi-Factor Authentication (MFA): Implement robust MFA across all applications.

‍

Learn about securing Salesforce data and access with Nudge Security →

Table of Contents

Example H2
Example H3
Example H4
Example H5
Example H6

Related posts

Guides
Exploring identity management for SaaS

How to streamline IAM, starting with a complete inventory of every and SaaS app that’s been introduced into your organization.

Read more
Product
A deep dive on SaaS spend management

How to use spend data and insights to prioritize your SaaS rationalization efforts, maximize impact, and earn quick wins.

Read more
Guides
A guide to SaaS security best practices for 2025

How to expose shadow IT, eliminate SaaS sprawl, and take control of your supply chain.

Read more
Report

Debunking the "stupid user" myth in security

Exploring the influence of employees’ perception
and emotions on security behaviors

Download the report
Watch the webinar

Let’s stay in touch.

Sign up for product updates, resources, and news. We promise we'll never send you spam. Or boring emails. Ever.
Product
OverviewChangelogPricingStatus
Resources
FAQSecurity ProfilesSaaS Security GlossaryData Breach ExplorerKnowledge BaseAPI Documentation
Company
Our ApproachOur TeamPress
Assurance
Trust & SecurityTerms & ConditionsPrivacy PolicySitemap

Use Cases

SaaS Security
SaaS Security Posture Management (SSPM)Okta SecurityAudit & ComplianceSaaS Attack SurfaceSOC 2 Compliance
SaaS Management
Shadow ITSaaS SpendAI SecurityCloud Governance
Third-Party Risk Management
Supply Chain SecurityOAuth Risk Management
Identity Governance
SSO OnboardingUser Access ReviewsEmployee OffboardingAccount Takeover Detection
© {year}, Nudge Security
1401 Lavaca St, Suite 40219
Austin, TX  78701