UNC6040 Hacks Salesforce Via Vishing And Malicious Data Loader Apps, Google Warns

A new Google Cloud Threat Intelligence report has revealed a sophisticated vishing campaign targeting Salesforce environments, enabling large-scale data theft and extortion. The operation, attributed to threat cluster UNC6040, leverages modified versions of Salesforce’s Data Loader and malicious connected apps to compromise organisations—without exploiting any Salesforce vulnerabilities.

According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like “My Ticket Portal,” grant direct access to sensitive CRM data.

No legitimate Salesforce systems are compromised in the attacks, the bad actors exploit end-user trust to infiltrate other systems.

Once initial access is secured, attackers use harvested credentials to move laterally into platforms such as Okta and Microsoft 365. In some cases, exfiltration went undetected for months before extortion attempts occurred—sometimes under the banner of groups like ShinyHunters.

UNC6040’s infrastructure included Okta phishing panels and commercial VPN services such as Mullvad. The group’s techniques overlap with those seen in campaigns linked to "The Com", a loosely affiliated cybercriminal collective.

GTIG advises defenders to implement strict access controls, limit API privileges, and use Salesforce Shield for anomaly detection. IP-based restrictions and rigorous app allowlisting are also critical, given the threat actors’ reliance on human manipulation rather than technical exploits.

“This campaign demonstrates how modern attackers exploit trust and routine admin functions to bypass even hardened cloud environments,” GTIG noted.

© Scoop Media