In June 2025, a sophisticated cyberattack campaign targeted Google's Salesforce environment, executed by threat actors UNC6040 and UNC6240. The attackers employed a multi-faceted approach combining vishing (voice phishing), abuse of OAuth applications, and anonymity techniques such as routing data exfiltration through the TOR network. The initial vector involved social engineering to trick users or administrators into granting OAuth app permissions, enabling the attackers to obtain valid OAuth tokens. These tokens allowed unauthorized access to Salesforce data without requiring direct credential compromise or traditional authentication bypass. Parallelly, UNC6395 compromised the Salesforce integration used by Salesloft Drift, impacting hundreds of customers. The attackers focused on stealing business data primarily from small and medium-sized clients, indicating a strategic targeting of less-protected SaaS environments. The campaign is linked to the ShinyHunters group, known for high-profile breaches and data theft. The attack chain highlights critical vulnerabilities in SaaS security, particularly around OAuth governance, identity and access management, and the challenges of detecting token abuse and social engineering in cloud environments. The use of TOR for data exfiltration further complicates attribution and detection. Indicators of compromise include multiple IP addresses and domains used for command and control or phishing infrastructure. The campaign underscores the necessity for enhanced monitoring of OAuth app permissions, rigorous user training against vishing, and improved anomaly detection in cloud platforms like Salesforce.

European organizations using Salesforce and integrated SaaS platforms are at significant risk due to the widespread adoption of these cloud services across the continent. The theft of business data from small and medium-sized enterprises (SMEs) could lead to loss of intellectual property, competitive disadvantage, regulatory compliance violations (e.g., GDPR breaches), and reputational damage. The abuse of OAuth tokens bypasses traditional security controls, making detection difficult and increasing the risk of prolonged unauthorized access. The use of vishing exploits human factors, which remain a weak link in cybersecurity defenses. Data exfiltration via TOR anonymizes attacker activity, complicating incident response and forensic investigations. Given the interconnected nature of SaaS ecosystems, a breach in one service can cascade to others, amplifying the impact. This threat also raises concerns about supply chain security for European businesses relying on third-party SaaS integrations. The medium severity rating reflects the targeted nature of the attack and the complexity of exploitation, but the potential for significant business disruption and data loss remains high.

European organizations should implement stringent OAuth governance policies, including regular audits of authorized OAuth applications and revocation of unused or suspicious app permissions. Employing least privilege principles for OAuth scopes can limit potential damage. Multi-factor authentication (MFA) should be enforced for all administrative and user accounts, especially those with access to sensitive SaaS platforms. User awareness programs must be enhanced to specifically address vishing and social engineering tactics, incorporating simulated phishing and vishing exercises. Network monitoring should include detection of TOR traffic and anomalous data flows indicative of exfiltration attempts. Integration of cloud access security brokers (CASBs) can provide visibility and control over SaaS usage and OAuth token activity. Incident response plans must be updated to include scenarios involving OAuth abuse and social engineering. Collaboration with SaaS providers to enable advanced logging and anomaly detection is critical. Finally, organizations should consider implementing just-in-time access and continuous authentication mechanisms to reduce the window of opportunity for attackers.