The Federal Bureau of Investigation (FBI) has issued a high-priority cybersecurity warning about two criminal groups, UNC6040 and UNC6395 launching coordinated campaigns against Salesforce platforms.
This FBI Warning Salesforce Attack outlines a new wave of cyber intrusions that use OAuth tokens, a widely trusted authentication method, to gain unauthorized access to Salesforce data through third-party apps. Unlike traditional phishing or password-theft attacks, these incidents bypass multi-factor authentication (MFA) and appear legitimate to monitoring systems, making them especially dangerous.
Businesses of every size from healthcare practices to Fortune 500 firms must now reconsider how connected apps and OAuth tokens are managed inside their Salesforce environments.
FBI Warning Salesforce Attack | UNC6040 & UNC6395 Threats – Table of Contents
Who Are UNC6040 and UNC6395?
UNC6040 – The Vishing Specialists
UNC6040 has a history of using voice phishing (vishing), where attackers impersonate IT support over the phone. Victims are persuaded to install or authorize malicious Salesforce apps. Once approved, these apps exploit OAuth tokens to extract Salesforce records at scale.
- Past activity: UNC6040 has been tied to data theft campaigns against U.S. companies, often followed by extortion attempts.
- Tactics: They use modified Salesforce Data Loader tools or clone apps to appear trustworthy.
UNC6395 – The OAuth Token Exploiters
UNC6395 specializes in abusing third-party integrations. In 2025, they compromised tokens from the Salesloft–Drift app, allowing them to query Salesforce databases across hundreds of companies.
- Past activity: UNC6395 has connections to credential-harvesting operations targeting cloud platforms.
- Tactics: Rather than contacting users, they leverage compromised OAuth tokens to silently access Salesforce instances.
Both groups converge on the same endgame: data theft and extortion.
Why Salesforce Is a Prime Target
Salesforce is the world’s leading CRM platform, housing enormous amounts of sensitive data:
- Customer personally identifiable information (PII)
- Financial transactions and account histories
- Sales pipelines and strategic forecasts
- Integration credentials (AWS keys, Snowflake tokens, database access)
For attackers, this is a gold mine. Access to Salesforce isn’t just about stealing contacts — it’s about unlocking a treasure chest of business intelligence, financial data, and even cloud infrastructure credentials that can fuel larger breaches.
Technical Breakdown: How the Salesforce Attack Works
Step 1: Social Engineering or Token Theft
- UNC6040 uses vishing calls to trick employees into approving a malicious app.
- UNC6395 exploits existing OAuth tokens from third-party apps like Drift, bypassing employee interaction.
Step 2: OAuth Token Abuse
OAuth is designed to let apps connect securely without sharing usernames or passwords. But once an OAuth token is granted, it acts like a master key until revoked or expired.
Attackers use these tokens to:
- Send SOQL queries to extract Salesforce records.
- Exfiltrate entire datasets unnoticed.
- Generate new refresh tokens to maintain persistence.
Step 3: Data Exfiltration
Data is funneled out via Salesforce APIs, often disguised as legitimate traffic. Stolen records may include:
- Customer lists
- Contract details
- Cloud infrastructure credentials
- Authentication keys for other platforms
Step 4: Extortion & Monetization
After exfiltrating data, attackers often demand payment to prevent leaks or sell the information on dark web marketplaces.
This technical flow is why the FBI Warning Salesforce Attack has raised such alarm — attackers aren’t breaking in through the front door, they’re walking through trusted side doors.
Real-World Business Impact
The fallout from these Salesforce attacks goes far beyond technical inconvenience:
- Regulatory Penalties
- Healthcare firms face HIPAA violations.
- Financial companies risk SOX and PCI-DSS noncompliance.
- Global businesses may trigger GDPR fines.
- Reputation Damage
Customers who learn their information was exposed lose trust quickly, and competitors may seize the opportunity. - Financial Losses
- Direct costs: forensic investigations, incident response teams, extortion payments.
- Indirect costs: lost sales, churned clients, stock value decline.
- Operational Disruption
When attackers exfiltrate API keys or system credentials, businesses may lose access to cloud platforms or face cascading outages. - Extortion Pressure
Groups like UNC6040 and UNC6395 sometimes pose as high-profile data leak groups (e.g., ShinyHunters), magnifying fear and urgency.
Lessons Learned from the FBI Warning
The key lesson of this Salesforce attack warning is that trust can be weaponized. OAuth tokens, third-party integrations, and connected apps — once considered safe — are now attack surfaces.
This warning pushes businesses toward a zero-trust mindset, where every app, token, and permission must be continuously scrutinized.
How Businesses Can Protect Against Salesforce Attacks
1. Audit All Connected Apps
- Review every Salesforce app authorized in your environment.
- Remove unnecessary apps or reduce permissions to the bare minimum.
2. Revoke and Rotate Tokens
- If a third-party integration like Drift or Salesloft was affected, revoke all tokens immediately.
- Rotate any credentials potentially exposed in Salesforce datasets.
3. Limit App Approval Authority
- Restrict who can install or approve new apps.
- Establish internal review processes before authorization.
4. Strengthen Monitoring and Logging
- Use Salesforce Event Monitoring to track API calls and SOQL queries.
- Watch for unusual export volumes or jobs created outside of normal business hours.
5. Apply Network Controls
- Limit Salesforce access to trusted IP ranges.
- Block TOR or suspicious VPN traffic.
6. Train Staff Against Vishing
- Provide employees with scripts to verify IT requests.
- Regularly test teams with simulated phishing/vishing calls.
7. Adopt Zero-Trust Architecture
- Treat OAuth tokens like privileged credentials.
- Implement continuous verification of permissions and user behavior.
Industry-Specific Risks
Different industries face unique risks from the FBI Warning Salesforce Attack:
- Healthcare: Exposed Salesforce data could mean HIPAA penalties and massive loss of patient trust.
- Financial Services: Stolen Salesforce data may reveal sensitive financial accounts or investment strategies.
- Legal Firms: Compromised case records could devastate client confidentiality.
- Nonprofits: Donor lists and funding details could be exfiltrated, undermining donor confidence.
For all industries, the message is the same: Salesforce is now a high-value target.
How Zevonix Helps Protect Against Salesforce Attacks
At Zevonix, we integrate Salesforce security into our Six-Step Pathway to Smarter IT:
- Discovery & Strategy – Identify all connected apps and map data flows.
- Tailored IT Solutions – Deploy OAuth security policies and monitoring.
- Implementation & Deployment – Configure Salesforce with principle-of-least-privilege access.
- Security Fortification – Apply zero-trust safeguards across SaaS environments.
- Ongoing Support & Optimization – Continuous audits of connected apps and tokens.
- Growth & Innovation – Ensure Salesforce remains a growth enabler, not a liability.
This pathway ensures your Salesforce data is protected against evolving threats like UNC6040 and UNC6395.
Conclusion
The FBI Warning Salesforce Attack is more than just another alert, it’s a signal that OAuth token abuse and trusted integrations have become prime attack vectors. Groups like UNC6040 and UNC6395 are exploiting gaps in app governance to steal data, extort businesses, and cause widespread disruption.
For businesses, the path forward is clear: audit connected apps, revoke compromised tokens, monitor activity closely, train employees, and adopt a zero-trust mindset.
At Zevonix, we help organizations navigate these exact challenges through our comprehensive cybersecurity services. Protect your Salesforce environment today, because attackers aren’t waiting until tomorrow.
📞 Call us at 904.658.0777
🔒 Book Your meeting with Zevonix »
Frequently Asked Questions
What is the FBI Warning Salesforce Attack about?
The FBI Warning Salesforce Attack refers to cybercriminal groups UNC6040 and UNC6395 targeting Salesforce platforms. They exploit OAuth tokens from third-party apps to steal sensitive data and demand extortion payments.
How do hackers exploit OAuth tokens in Salesforce?
Attackers trick users into approving malicious connected apps or abuse stolen OAuth tokens from integrations. These tokens act like master keys, giving them access to Salesforce data without needing passwords or MFA.
Who are UNC6040 and UNC6395 mentioned in the FBI warning?
UNC6040 is known for vishing attacks that impersonate IT staff, while UNC6395 exploits OAuth tokens from third-party tools like Drift and Salesloft. Both groups use these methods to infiltrate Salesforce and steal business data.
What data can be stolen in the Salesforce attacks?
The FBI warning highlights that customer records, financial details, contracts, and even cloud service credentials (like AWS or Snowflake keys) can be stolen during these Salesforce attacks.
How can my business protect against the FBI Warning Salesforce Attack?
You can protect against these attacks by auditing connected apps, revoking unused tokens, restricting who can authorize apps, enabling Salesforce monitoring, and training employees to recognize vishing attempts.
Discover more from Zevonix
Subscribe to get the latest posts sent to your email.