Google’s Mandiant reported an ongoing social engineering campaign by the criminal gang **UNC6040**, which impersonates IT support personnel via **voice phishing (vishing)** to trick employees—particularly those in English-speaking branches of multinational corporations—into granting access to **Salesforce instances**. The attackers manipulate end-users (often with elevated SaaS access) into clicking malicious links or sharing credentials, leading to **unauthorized data exfiltration from Salesforce environments**. No inherent Salesforce vulnerabilities were exploited; the breach relied entirely on human deception. Mandiant emphasized the need for **defense-in-depth strategies**, including caller verification and strict validation of third-party requests. The attack highlights the persistent risk of **credential theft via social engineering**, with potential exposure of sensitive customer or corporate data stored in Salesforce.
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal4493244102125",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'location': ['Global (Focus on English-Speaking '
'Branches)'],
'type': ['Multinational Corporations',
'Organizations Using Salesforce']}],
'attack_vector': ['Voice Phishing (Vishing)',
'Impersonation of IT Support/Vendors',
'Malicious Links'],
'customer_advisories': ['Customers of affected organizations should monitor '
'for unauthorized access to their data.',
'Reset passwords if potentially exposed to phishing '
'attempts.'],
'data_breach': {'data_exfiltration': ['Confirmed in Observed Cases'],
'personally_identifiable_information': ['Potential (If '
'Credentials Include '
'PII)'],
'sensitivity_of_data': ['High (Potential PII, Corporate '
'Data)'],
'type_of_data_compromised': ['Salesforce Data',
'Credentials']},
'date_publicly_disclosed': '2025-10-21',
'description': "Google's Mandiant reported an ongoing wave of social "
'engineering attacks by the criminal gang UNC6040, targeting '
"organizations' Salesforce instances. The attackers "
'impersonate IT support personnel in voice phishing (vishing) '
'calls to trick employees—particularly those with elevated '
'access to SaaS applications—into granting access or sharing '
'sensitive credentials. The attacks rely on manipulating '
'end-users rather than exploiting Salesforce vulnerabilities. '
'Mandiant observed cases where attackers posed as third-party '
'vendors, providing malicious links to authenticate and '
'exfiltrate data. The threat actor primarily targets '
'English-speaking branches of multinational corporations.',
'impact': {'brand_reputation_impact': ['Potential Loss of Trust Due to '
'Credential Theft'],
'data_compromised': ['Salesforce Data', 'Sensitive Credentials'],
'identity_theft_risk': ['High (Due to Stolen Credentials)'],
'operational_impact': ['Unauthorized Access to SaaS Applications',
'Potential Data Exfiltration'],
'systems_affected': ['Salesforce Instances', 'SaaS Applications']},
'initial_access_broker': {'data_sold_on_dark_web': ['Potential (Stolen '
'Credentials)'],
'entry_point': ['Voice Phishing (Vishing) Calls',
'Malicious Links'],
'high_value_targets': ['Employees with Elevated '
'SaaS Access']},
'investigation_status': 'Ongoing (Mandiant Active Guidance)',
'lessons_learned': ['Social engineering attacks bypass technical '
'vulnerabilities by exploiting human trust.',
'Voice phishing (vishing) is highly effective when '
'attackers impersonate trusted entities (e.g., IT '
'support, vendors).',
'Employees with elevated SaaS access are prime targets '
'for credential theft.',
'Verification protocols for third-party requests must be '
'rigorously enforced.',
'AI tools (e.g., ChatGPT) can enhance the sophistication '
'of phishing content, increasing attack success rates.'],
'motivation': ['Financial Gain', 'Data Theft', 'Espionage (Potential)'],
'post_incident_analysis': {'corrective_actions': ['Implement mandatory '
'verification steps for all '
'support/vendor calls.',
'Deploy AI-driven phishing '
'detection for email and '
'voice channels.',
'Expand security awareness '
'training to include '
'vishing simulations.',
'Enforce MFA for all SaaS '
'applications, especially '
'Salesforce.',
'Audit third-party vendor '
'access and communication '
'protocols.'],
'root_causes': ['Lack of robust verification for '
'unsolicited support calls.',
'Over-reliance on employee trust '
'in voice communications.',
'Insufficient training on social '
'engineering tactics (e.g., '
'vishing).',
'AI-assisted phishing content '
'increasing attack credibility.']},
'recommendations': ['Implement defense-in-depth strategies for caller '
'verification (e.g., callback procedures using trusted '
'contacts).',
'Train employees to recognize and report unsolicited '
'access requests, especially via phone or email.',
'Restrict elevated SaaS access to minimal necessary '
'personnel and enforce multi-factor authentication (MFA).',
'Monitor for anomalous access patterns in SaaS '
'applications (e.g., unexpected logins from new '
'locations).',
'Conduct regular phishing simulations, including vishing '
'scenarios, to test employee awareness.',
'Integrate AI-driven threat detection to identify '
'phishing content generated with AI tools.',
'Educate HR and recruiting teams on red flags for fake '
'identities (e.g., AI-generated profiles, inconsistent '
'resumes).'],
'references': [{'date_accessed': '2025-10-21',
'source': 'Mandiant (Google) Blog Post',
'url': 'https://blog.knowbe4.com/protect-yourself-from-voice-phishing-attacks-targeting-salesforce-instances'},
{'date_accessed': '2025-10-21',
'source': 'CyberheistNews Vol 15 #42',
'url': 'https://blog.knowbe4.com/cyberheistnews-vol-15-42-heads-up-fake-support-calls-used-to-breach-your-salesforce-accounts'},
{'date_accessed': '2025-10-21',
'source': 'OpenAI Report on AI-Assisted Phishing',
'url': 'https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-october-2025/'}],
'response': {'communication_strategy': ['Mandiant Blog Post',
'KnowBe4 Advisory'],
'containment_measures': ['End unsolicited support calls without '
'providing access/information',
'Verify callers via trusted, on-file '
'contact information',
'Require explicit verification from '
'account managers before fulfilling '
'requests'],
'enhanced_monitoring': ['Monitoring for Unauthorized SaaS '
'Access'],
'remediation_measures': ['Defense-in-Depth Strategy for Caller '
'Verification',
'Employee Training on Social '
'Engineering and Phishing',
'Rigorous Communication of Third-Party '
'Request Verification Protocols'],
'third_party_assistance': ['Mandiant (Google)']},
'stakeholder_advisories': ['Verify all third-party support calls via trusted '
'channels.',
'Report suspicious calls to IT/security teams '
'immediately.',
'Avoid clicking links or sharing credentials in '
'unsolicited communications.'],
'threat_actor': 'UNC6040 (Organized Criminal Gang)',
'title': 'Social Engineering Attacks Targeting Salesforce Instances via Fake '
'Support Calls',
'type': ['Social Engineering',
'Phishing (Vishing)',
'Credential Theft',
'Data Exfiltration'],
'vulnerability_exploited': 'Human Error (Social Engineering)'}