On September 12, 2025, the Federal Bureau of Investigation (FBI) issued a FLASH alert detailing the operations of two cybercriminal groups, UNC6040 and UNC6395, which are targeting Salesforce instances to exfiltrate data and extort organizations. This alert, intended for cybersecurity professionals (CERTs, SOC analysts, CISOs), outlines the initial access vectors, data exfiltration techniques, authentication bypass methods used by these actors, as well as the observed indicators of compromise and recommended remediation steps.
Initial Access Vectors
UNC6040 relies primarily on social engineering to gain entry into target Salesforce environments. Active since at least October 2024, this group has been conducting voice-phishing (vishing) campaigns, calling organizations’ support or help desk centers while impersonating IT support personnel. During these calls, the attackers claim to be addressing technical issues (such as enterprise-wide connectivity problems or closing an IT ticket) and use this pretext to manipulate employees into actions that grant unauthorized access. In practice, UNC6040 operators may direct the victim to a phishing webpage during the call (asking them to log in via their phone or computer) to steal their credentials. In some instances, the UNC6040 callers have requested the employee’s login credentials and multi-factor authentication codes outright, using this information to access the company’s Salesforce instance and register a malicious connected application.
A common tactic is to exploit Salesforce’s connected apps mechanism: the tricked employee is led to authorize a rogue third-party app (often masquerading as the legitimate Salesforce Data Loader tool), which provides the attackers with a valid OAuth token for persistent access.
UNC6395, on the other hand, leverages a compromise in a third-party integration’s OAuth tokens. In August 2025, this group orchestrated a widespread data theft campaign by exploiting stolen OAuth access tokens from the Salesloft Drift application, an AI-powered chatbot integrated with Salesforce. Unlike UNC6040, UNC6395’s approach does not involve directly contacting victim users; by obtaining these third-party tokens (for example, through a breach at the application provider), the attackers immediately gained remote access to many organizations’ Salesforce environments. They could then use the already authorized external application to connect, without any user interaction or awareness, to the victim’s Salesforce data.
Data Exfiltration Techniques
After establishing access, both groups focus on exfiltrating large volumes of data stored in the targeted Salesforce customer relationship management (CRM) systems. In the case of UNC6040, the malicious connected app (disguised as a Data Loader or similar tool) allows the threat actors to perform mass API queries to export entire datasets, such as customer databases or other sensitive records. The attackers employ automated scripts (for example, Python-based) and the Salesforce API to efficiently extract these bulk records. For UNC6395, the group takes advantage of the privileges granted by the compromised OAuth token for the Salesloft app: through this pre-approved third-party connection, they query the victim’s Salesforce environment and similarly exfiltrate data in large quantities.
In both campaigns, the goal is to steal as much valuable information as possible, which can then be monetized.
The FBI alert notes that a portion of these intrusions are accompanied by attempts at extortion. Notably, several organizations compromised by UNC6040 later received blackmail emails claiming to be from the “ShinyHunters” group. In these messages, the attackers demand a cryptocurrency ransom in exchange for not publicly releasing the stolen data. The timing of these extortion demands has varied – in some cases just days after the data theft, in others many months later – underscoring the ongoing pressure on victim organizations even well after the initial breach.
Authentication Mechanisms Circumvented
The tactics employed by UNC6040 and UNC6395 enable them to bypass traditional authentication defenses. In UNC6040’s scenario, tricking a user into authorizing a malicious OAuth app effectively sidesteps security measures like multi-factor authentication (MFA), forced password resets, or standard login monitoring. Since the OAuth token is issued by Salesforce for what appears to be a legitimate integrated application, any malicious activity via that token can blend in with normal trusted integration traffic, evading many security alerts. Likewise, when UNC6040 operators directly solicit MFA one-time codes from victims, they are essentially nullifying the protection MFA provides by social engineering. For UNC6395, using already-compromised OAuth tokens for an officially authorized app means the attackers circumvent the interactive login process entirely – they can access data without going through the normal user authentication steps, thereby rendering MFA and other access controls ineffective for those sessions.
Indicators of Compromise (IOCs)
To aid defenders, the FBI’s alert includes a set of Indicators of Compromise (IOCs) related to these campaigns. These IOCs consist primarily of numerous suspect IP addresses that were used by the attackers for accessing or extracting data from Salesforce instances, several malicious domains/URLs employed in the phishing and command-and-control infrastructure, as well as specific user-agent strings corresponding to tools and scripts observed in the attacks. For example, some user-agent signatures linked to UNC6040’s activities indicate usage of the Salesforce CLI client and custom Python HTTP libraries. The provided indicators (shared as TLP:CLEAR) are intended to help organizations scan their logs and systems for any signs of compromise associated with UNC6040 or UNC6395 operations.
Recommended Remediation Measures
The FBI alert also outlines concrete steps that organizations can take to strengthen their defenses against such attacks:
- Train support and help desk personnel (especially call center staff) to recognize and report social engineering and phishing attempts, including phone-based vishing scams.
- Enforce phishing-resistant multi-factor authentication on as many services as possible. Adopting strong MFA solutions (for example, hardware security keys or other phishing-proof methods) can significantly reduce the risk of attackers bypassing authentication via social engineering.
- Implement Authentication, Authorization, and Accounting (AAA) controls and apply the principle of least privilege. Ensure that each user and service account has only the minimum permissions necessary, to limit what an attacker can do if an account is compromised.
- Institute IP-based access restrictions and monitor API usage closely. For instance, enforce allowed IP ranges for accessing critical cloud services like Salesforce, and continuously watch API activity for unusual volumes or patterns that might indicate data theft (e.g., large data exports at odd hours).
- Monitor network logs and user session activity (including web/browser sessions and connected apps) for anomalies and any signs of data exfiltration. Pay extra attention to activity coming from authorized third-party integrations, which might otherwise appear benign.
- Audit and secure third-party integrations connected to your Salesforce (and other key platforms). Review all external applications with access to your systems and revoke or rotate their API keys, credentials, and OAuth tokens as needed. Regularly updating these tokens and secrets ensures that any potentially compromised credentials are rendered useless to an attacker.
By implementing these measures, organizations can significantly harden their environments against the tactics observed in the UNC6040 and UNC6395 campaigns. The FBI also emphasizes the importance of promptly reporting any suspicious activity or incidents to authorities (such as the Internet Crime Complaint Center or local FBI field offices), as this information sharing can assist ongoing investigations and improve collective threat intelligence.
Sources
- FBI Flash Alert (09/12/2025) – Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion: https://www.ic3.gov/CSA/2025/250912.pdf
- SecurityAffairs – FBI warns of Salesforce attacks by UNC6040 and UNC6395 groups: https://securityaffairs.com/182159/cyber-crime/fbi-warns-of-salesforce-attacks-by-unc6040-and-unc6395-groups.html
- Cyber Security News – FBI Unveils IOCs for Cyber Attacks Targeting Salesforce Instances for Data Exfiltration: https://cybersecuritynews.com/fbi-iocs-salesforce-instances/
