The FBI has issued a rare FLASH alert warning businesses about a rising wave of cyberattacks targeting Salesforce environments. Two separate threat clusters, tracked as UNC6040 and UNC6395, are actively compromising organizations to steal sensitive corporate data and extort victims.
According to the FBI, the two groups use different tactics to achieve the same end — gaining access to Salesforce data, siphoning it out in bulk, and then threatening victims with exposure unless they pay up.
FBI Issues FLASH Alert With IOCs
“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions,” reads the FBI’s advisory.
The FLASH alert includes key technical indicators such as user agent strings, IP addresses, and URLs linked to the intrusions. The goal is to help organizations detect and block malicious activity in their Salesforce environments before attackers succeed.
The FBI emphasized that both UNC6040 and UNC6395 have recently been observed targeting Salesforce instances using distinct initial access vectors. Security teams are urged to review the provided IOCs and take action to harden their environments.
UNC6040: OAuth Abuse and Social Engineering
UNC6040 first came to light in June when Google Threat Intelligence (Mandiant) revealed that the group had been active since late 2024. Their preferred tactic? Social engineering and vishing.
Threat actors posed as corporate IT support staff, luring unsuspecting employees into connecting malicious Salesforce Data Loader OAuth applications to their company accounts. In many cases, the rogue apps were cleverly disguised under names like “My Ticket Portal,” making them look like legitimate IT tools.
Once the OAuth application was connected, the attackers could perform bulk data exports of entire Salesforce database tables. This data was then handed off to the notorious ShinyHunters extortion group, which used the stolen information to pressure victims.
ShinyHunters told BleepingComputer that their primary targets were the “Accounts” and “Contacts” tables — gold mines of customer information that could be exploited for extortion or sold to competitors.
The attacks were not limited to small businesses. Large and high-profile companies, including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, and Tiffany & Co., were among those affected by these breaches.
UNC6395: Leveraging Stolen Tokens for Deep Access
A second wave of attacks, tracked as UNC6395, emerged in August and used a different approach. Rather than relying on social engineering, these actors utilized stolen Salesloft Drift OAuth and refresh tokens to gain access to Salesforce environments.
The campaign reportedly ran between August 8th and August 18th and focused on compromising support case data stored in Salesforce. After exfiltrating the data, the attackers combed through it for secrets, credentials, and authentication tokens that might provide deeper access into corporate networks.
This included cloud credentials such as AWS keys, internal passwords, and Snowflake tokens. By collecting these credentials, UNC6395 was able to pivot into other cloud environments, performing further data theft and increasing the blast radius of the breach.
Why These Attacks Matter
The incidents demonstrate how attackers are now laser-focused on SaaS platforms like Salesforce, which house critical customer and operational data. By abusing OAuth tokens, social engineering employees, and scouring support cases for secrets, adversaries can build a detailed blueprint of a company’s digital ecosystem.
For defenders, the FBI’s FLASH alert is a call to action: review OAuth permissions, audit connected apps, rotate any potentially exposed credentials, and block the malicious infrastructure listed in the IOCs.
