Salesforce data theft campaign exposes SaaS integration risks

New data theft attacks have been observed targeting Salesforce instances through SaaS integrations, raising concerns among security experts regarding the scope and coordination of the campaign.

Security professionals are closely following developments after Google Threat Intelligence reported widespread attacks involving stolen OAuth2 tokens from integrations between Salesforce and third-party applications, including Salesloft and Drift. The attacks are believed to be conducted by a state-sponsored group and have affected hundreds of Salesforce tenancies across various sectors.

Attack characteristics

Cory Michal, Chief Security Officer of AppOmni, noted that while the techniques observed were not new, the attack's scale and organisational discipline differed from typical SaaS breaches.

"In some ways, I'm not surprised by these attacks. We regularly see the compromise and abuse of OAuth2 tokens and SaaS-to-SaaS integrations. They've long been a known blind spot in most enterprise security programs. What did surprise me was the sheer scale and the methodical discipline the attackers demonstrated. This wasn't opportunistic, it looked highly coordinated, with a level of planning and execution that suggests a state-sponsored adversary pursuing a broader mission. That combination of tradecraft, targets and probable intent is what makes this campaign particularly concerning."

The attackers specifically targeted organisations by leveraging stolen OAuth2 tokens linked to widely utilised integrations between Salesforce and other SaaS platforms. Michal emphasised the structured methodology seen in the attacks.

"What's most noteworthy about the UNC6395 attacks is both the scale and the discipline. This wasn't a one-off compromise; hundreds of Salesforce tenants of specific organizations of interest were targeted using stolen OAuth tokens, and the attacker methodically queried and exported data across many environments. They demonstrated a high level of operational discipline, running structured queries, searching specifically for credentials, and even attempting to cover their tracks by deleting jobs. The combination of scale, focus, and tradecraft makes this campaign stand out."

Exploiting SaaS blind spots

Security analysts have long cited the dangers of highly permissioned SaaS integrations. Michal said organisations' trust in third-party applications can create vulnerabilities that are hard to detect and defend against.

"This campaign underscores that highly permissioned OAuth and SaaS-to-SaaS integrations represent one of the largest risks and blind spots for organizations today. Once an integration is compromised, attackers can operate with the same level of access granted to that app, often bypassing traditional MFA controls. The risk is compounded if organizations are insecurely storing secrets, API keys, or credentials in Salesforce objects. In those cases, if the data was exfiltrated, it's very likely that connected systems such as AWS, Snowflake, or VPNs have already been compromised as well. That makes the blast radius of these attacks far larger than just the SaaS application itself."

Techniques and operational discipline

Although the attackers did not exploit previously unknown vulnerabilities in Salesforce, the campaign has been marked by careful and disciplined use of authorised access via stolen OAuth tokens. According to Michal, the attackers ran large-scale, structured queries for high-value information and actively attempted to delete evidence of their activities.

"The techniques used in this campaign weren't novel in terms of exploitation. The attacker didn't need to break Salesforce itself, they abused OAuth tokens from a widely used and trusted third-party integration to gain access. They then used that foothold in a very disciplined and methodical way. They ran structured SOQL queries, targeted high-value data like credentials, and attempted to cover their tracks by deleting jobs. While not technically sophisticated in terms of exploitation, the campaign was sophisticated in its scale, operational discipline, and its focus on exploiting what is often a blind spot: SaaS-to-SaaS integrations and the trust organizations place in them."

Indicators of a supply chain threat

Michal identified the targeting of security and technology firms as a likely indication that the attackers may be pursuing a broader strategy, potentially aiming at supply chain infiltration.

"One important aspect that shouldn't be overlooked is who was targeted. Many of the targeted and compromised organizations were themselves security and technology companies, which suggests this campaign may be the opening move in a broader supply chain attack strategy. By first infiltrating vendors and service providers, the attackers put themselves in position to pivot into downstream customers and partners. That makes this not just an isolated SaaS compromise, but potentially the foundation for a much larger campaign aimed at exploiting the trust relationships that exist across the technology supply chain."

Recommendations for organisations

The incidents serve as a warning to organisations managing SaaS-to-SaaS integrations. Michal outlined proactive steps for improving security and detection against similar threats.

"Organisations can address these threats now by taking a proactive approach to their OAuth2 and SaaS-to-SaaS integrations. That starts with assessing which apps are connected, what permissions they've been granted, and removing or tightening any that are overly broad. On the detection side, companies should be ingesting SaaS audit logs, monitoring for unusual query activity or large-scale data exports, and enriching those logs with threat intelligence to spot activity tied to malicious IPs or User-Agent strings. Combining proactive integration governance with continuous monitoring and anomaly detection gives organizations the best chance to catch these campaigns early and minimize impact."

Attack chain details

Michal provided a breakdown of the attack's kill chain:

"Vendor Compromise (Unknown Vector) – The attacker first compromised Salesloft/Drift by unknown means, gaining access sufficient to obtain or abuse OAuth client secrets/tokens associated with Drift's Salesforce integrations.

Token Theft/Abuse – Using that foothold, the attacker acquired or leveraged access/refresh tokens tied to many Drift–Salesforce connections.

Authentication & Spread – Tokens were used to authenticate into hundreds of Salesforce orgs as the connected app/connection user, effectively bypassing MFA and inheriting the app's granted scopes.

Discovery – The attacker ran SOQL reconnaissance (e.g., COUNT queries across Users, Accounts, Opportunities, Cases) to size up each tenant and plan extractions.

Collection & Exfiltration – They performed targeted data pulls (user/account/case data, etc.) and exported large volumes across organisations.

Credential Harvesting – Exfiltrated data was parsed for credentials and tokens (e.g., cloud keys) to enable follow-on access outside Salesforce.

Defence Evasion – The actor deleted query jobs and operated via disciplined tradecraft (e.g., selective queries, proxy/Tor use) to reduce visibility.

Follow-On Objectives – With harvested credentials, the actor likely pivoted to other cloud/SaaS systems, and the focus on tech/security companies suggests staging for broader supply-chain operations."