Google Threat Intelligence Group has identified a financially motivated cybercrime operation that has successfully compromised multiple organisations through sophisticated voice phishing attacks specifically targeting Salesforce environments.
The threat group, designated UNC6040, has demonstrated remarkable effectiveness in manipulating employees through convincing telephone-based social engineering tactics.
The attackers operate by impersonating IT support personnel and contacting employees at multinational corporations, particularly targeting English-speaking branches. During these deceptive phone calls, UNC6040 operators guide victims through a carefully orchestrated process that ultimately grants attackers access to sensitive corporate data stored in Salesforce systems.
The core of their attack strategy involves tricking victims into authorising a malicious connected application within their organisation's Salesforce portal. This application typically appears as a modified version of Salesforce's legitimate Data Loader tool, which is designed for importing, exporting, and updating large volumes of data within the Salesforce platform.
By gaining this authorisation, attackers obtain significant capabilities to access, query, and systematically exfiltrate sensitive information directly from compromised Salesforce environments.
 |
| UNC6040's Data Loader attack flow | Image: Google |
During extortion attempts, the attackers have claimed affiliation with the notorious ShinyHunters hacking group, likely to increase psychological pressure on victims.
The threat group's infrastructure analysis reveals the use of Mullvad VPN services for accessing victim networks and the deployment of Okta phishing panels to harvest additional credentials during social engineering calls. These tactics demonstrate sophisticated operational planning and technical capabilities.
Google researchers have observed overlapping characteristics with threat groups linked to "The Com," a loosely organised cybercriminal collective, though the exact relationship remains unclear. The similarities may indicate shared operational communities rather than direct collaboration.
In response to the Google threat intelligence report, a Salesforce spokesperson emphasized that "Salesforce has enterprise-grade security built into every part of our platform, and there's no indication the issue described stems from any vulnerability inherent to our services. Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users' cybersecurity awareness and best practices."
The company further noted that "security is a shared responsibility, and we provide customers with tools, guidance, and security features like Multi-Factor Authentication and IP restrictions to help defend against evolving threats." Salesforce has published detailed guidance on protecting environments from social engineering attacks.