UNC6040 APT Group Steals Salesforce Data Without Exploiting Any Known Vulnerabilities

A recent wave of cyberattacks by the financially motivated UNC6040 threat group has sent shockwaves across the enterprise landscape not because of a previously unknown software flaw, but through advanced social engineering tactics that trick employees into handing over the keys to their Salesforce environments.

The attack, tracked by Google Threat Intelligence Group (GTIG), highlights a disturbing trend: attackers are bypassing technical vulnerabilities entirely and exploiting the human element, particularly targeting IT support staff in multinational organizations.

Technical Analysis Vishing Meets Malicious Connected Apps

Unlike traditional intrusions that rely on zero-days or software exploits, UNC6040 operators initiate their campaign through voice phishing (“vishing”).

Impersonating IT staff over the phone, attackers coax employees to visit Salesforce’s “Connected Apps” setup page, guiding them through steps to authorize a malicious application typically a doctored version of the legitimate Salesforce Data Loader.

How the Attack Works:

Initial Contact: The attacker calls a target, often in the guise of a credible IT support agent, using language and knowledge tailored to the victim’s organization.

Credential Harvesting: During the call, they socially engineer the victim into providing Salesforce credentials, and, if necessary, multi-factor authentication (MFA) codes.

Malicious Data Loader Authorization:

The attacker instructs the victim to add a connected app—ostensibly for “support” or “troubleshooting.”

They provide a “connection code” or URL for a modified Data Loader application (frequently disguised with an innocuous name such as “My Ticket Portal”).

Upon authorization, the attacker-controlled Data Loader gains direct, API-level access to Salesforce data.

Technical Analysis:

Salesforce’s Data Loader application, designed for bulk data import/export, supports OAuth and can be integrated as a connected app. Once authorized, it allows programmatic querying and bulk export of sensitive data

# API call example (Python and simple_salesforce)
from simple_salesforce import Salesforce

sf = Salesforce(
    username='compromised_user@example.com',
    password='password',
    security_token='token'
)

query = "SELECT Id, Name, Email FROM Contact"
results = sf.query_all(query)
# Malicious exfiltration code would then save or transmit results

Exfiltration Tactics:

• Attackers may use small data chunk sizes in test queries to avoid detection.
• Once satisfied, they pivot to bulk downloads, extracting entire tables of records.
• Connection is often routed through VPNs (such as Mullvad) for anonymity.

Infrastructure and Lateral Movement

UNC6040’s infrastructure is multi-faceted:

• Phishing Panels: Used to collect credentials for other cloud platforms like Okta and Microsoft 365, often facilitated through infrastructure sharing with other threat actors.
• Cross-Platform Credential Abuse: After Salesforce access is established, the attackers frequently move laterally, leveraging harvested credentials to access additional cloud resources.

In some cases, extortion demands are delayed for months, suggesting stolen data is sold or utilized by affiliate groups, with actors even claiming ties to well-known collectives like ShinyHunters for additional leverage.

Mitigations: Hardening Salesforce Environments Against Social Engineering

The incident is a stark reminder that even robust cloud platforms can be compromised if user workflows and permissions are not tightly controlled. GTIG and Salesforce recommend the following technical defenses:

1. Principle of Least Privilege

• Strictly limit use of the “API Enabled” permission and access to Data Loader.
• Regularly review and audit profiles and permission sets.

2. Manage Connected Apps

• Restrict which users or roles can authorize new connected apps.
• Implement an approval process and allowlist known, trusted applications.
• Carefully control “Customize Application” and “Manage Connected Apps” permissions.

3. Enforce IP & Network Restrictions

• Limit Salesforce access to trusted enterprise/VPN IP ranges.
• Apply IP restriction policies on connected apps.

4. Enhanced Monitoring with Salesforce Shield

• Use Transaction Security Policies to flag or block bulk data export attempts.
• Ingest Event Monitoring logs into SIEM for behavioral anomaly detection.

5. Universal MFA and User Training

• Mandate multi-factor authentication for all Salesforce access.
• Educate staff on vishing tactics and the importance of never authorizing unexpected connected apps or disclosing MFA codes.

UNC6040’s campaign delivers a sobering lesson: even the most secure platforms are only as strong as their least-prepared user. As organizations accelerate cloud adoption, continuous user education and layered technical controls are critical.

By understanding these evolving attack techniques where persuasion carries more weight than exploits security teams can stay a step ahead of even the most innovative adversaries.