Full Report
Written by: Austin Larsen, Matt Lin, Tyler McLellan, Omar ElAhdan Introduction Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure. Salesloft indicated that customers that do not integrate with Salesforce are not impacted by this campaign. There is no evidence indicating direct impact to Google Cloud customers, however any customers that use Salesloft Drift should also review their Salesforce objects for any Google Cloud Platform service account keys. On Aug. 20, 2025 Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application. In addition, Salesforce removed the Drift application from the Salesforce AppExchange until further notice and pending further investigation. This issue does not stem from a vulnerability within the core Salesforce platform. GTIG, Salesforce, and Salesloft have notified impacted organizations. Threat Detail The threat actor executed queries to retrieve information associated with Salesforce objects such as Cases, Accounts, Users, and Opportunities. For example, the threat actor ran the following sequence of queries to get a unique count from each of the associated Salesforce objects. SELECT COUNT() FROM Account; SELECT COUNT() FROM Opportunity; SELECT COUNT() FROM User; SELECT COUNT() FROM Case; Query to Retrieve User Data SELECT Id, Username, Email, FirstName, LastName, Name, Title, CompanyName, Department, Division, Phone, MobilePhone, IsActive, LastLoginDate, CreatedDate, LastModifiedDate, TimeZoneSidKey, LocaleSidKey, LanguageLocaleKey, EmailEncodingKey FROM User WHERE IsActive = true ORDER BY LastLoginDate DESC NULLS LAST LIMIT 20 Query to Retrieve Case Data SELECT Id, IsDeleted, MasterRecordId, CaseNumber FROM Case LIMIT 10000 Recommendations Given GTIG’s observations of data exfiltration associated with the campaign, organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps. Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor. Investigate for Compromise and Scan for Exposed Secrets Search for the IP addresses and User-Agent strings provided in the IOCs section below. While this list includes IPs from the Tor network that have been observed to date, Mandiant recommends a broader search for any activity originating from Tor exit nodes. Review Salesforce Event Monitoring logs for unusual activity associated with the Drift connection user. Review authentication activity from the Drift Connected App. Review UniqueQuery events that log executed SOQL queries. Open a Salesforce support case to obtain specific queries used by the threat actor. Search Salesforce objects for potential secrets, such as: AKIA for long-term AWS access key identifiers Snowflake or snowflakecomputing.com for Snowflake credentials password, secret,key to find potential references to credential material Strings related to organization-specific login URLs, such as VPN or SSO login pages Run tools like Trufflehog to find secrets and hardcoded credentials. Rotate Credentials Immediately revoke and rotate any discovered keys or secrets. Reset passwords for associated user accounts. Configure session timeout values in Session Settings to limit the lifespan of a compromised session. Harden Access Controls Review and Restrict Connected App Scopes: Ensure that applications have the minimum necessary permissions and avoid overly permissive scopes like full access. Enforce IP Restrictions on the Connected App: In the app’s settings, set the ‘IP Relaxation’ policy to ‘Enforce IP restrictions’. Define Login IP Ranges: On user profiles, define IP ranges to only allow access from trusted networks. Remove the 'API Enabled' Permission: Remove the 'API Enabled' permission from profiles and grant it only to authorized users via a Permission Set. Additional instructions and updates are available on the Salesloft Trust Center. Acknowledgments We would like to thank Salesforce, Salesloft, and other trusted partners for their collaboration and assistance in responding to this threat. IOCs A collection of indicators of compromise (IOCs) is available in a Google Threat Intelligence (GTI) collection for registered users. Indicator Value Description Salesforce-Multi-Org-Fetcher/1.0 Malicious User-Agent string Salesforce-CLI/1.0 Malicious User-Agent string python-requests/2.32.4 User-Agent string Python/3.11 aiohttp/3.12.15 User-Agent string 208.68.36.90 DigitalOcean 44.215.108.109 Amazon Web Services 154.41.95.2 Tor exit node 176.65.149.100 Tor exit node 179.43.159.198 Tor exit node 185.130.47.58 Tor exit node 185.207.107.130 Tor exit node 185.220.101.133 Tor exit node 185.220.101.143 Tor exit node 185.220.101.164 Tor exit node 185.220.101.167 Tor exit node 185.220.101.169 Tor exit node 185.220.101.180 Tor exit node 185.220.101.185 Tor exit node 185.220.101.33 Tor exit node 192.42.116.179 Tor exit node 192.42.116.20 Tor exit node 194.15.36.117 Tor exit node 195.47.238.178 Tor exit node 195.47.238.83 Tor exit node
Analysis Summary
# Incident Report: Widespread Data Theft Targeting Salesforce via Salesloft Drift Integration Compromise
## Executive Summary
UNC6395 executed a widespread data theft campaign between August 8 and August 18, 2025, leveraging compromised OAuth tokens associated with the Salesloft Drift third-party application integrated with numerous corporate Salesforce instances. The primary goal was to harvest sensitive credentials, including AWS access keys and Snowflake tokens, found within Salesforce objects. Response actions included the revocation of all affected access/refresh tokens by Salesloft and Salesforce, and the removal of the Drift application from the AppExchange.
## Incident Details
- **Discovery Date:** On or around August 18, 2025 (implied, as response actions began August 20)
- **Incident Date:** Beginning as early as August 8, 2025, through at least August 18, 2025
- **Affected Organization:** Numerous corporate organizations utilizing Salesforce integrated with Salesloft Drift.
- **Sector:** Unspecified, likely organizations using Salesforce CRM/Sales engagement tools.
- **Geography:** Global (implied by "widespread" nature).
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning as early as Aug. 8, 2025
- **Vector:** Compromised OAuth tokens associated with the Salesloft Drift third-party application integrated with Salesforce.
- **Details:** Attacker gained authenticated access to Salesforce environments via the authorized, yet compromised, integration credentials.
### Lateral Movement
- Primarily focused on internal reconnaissance and data retrieval within the Salesforce environment using SOQL queries against objects like Accounts, Opportunities, Users, and Cases.
### Data Exfiltration/Impact
- Systematic export of large volumes of data from Salesforce instances.
- Specific targeting for credentials: AWS access keys (AKIA), passwords, and Snowflake-related access tokens.
- Attacker attempted operational security by deleting query jobs, but logs were not fully impacted.
### Detection & Response
- **Detection:** Implied through external investigation or internal alerts related to unusual data access/exports.
- **Response:** On Aug. 20, 2025, Salesloft and Salesforce revoked all active access and refresh tokens tied to the Drift application and removed the application from the Salesforce AppExchange pending investigation.
## Attack Methodology
- **Initial Access:** Compromised OAuth Tokens via third-party application (Salesloft Drift).
- **Persistence:** Not explicitly detailed, but initial access maintained via valid OAuth tokens until revocation.
- **Privilege Escalation:** Not required, as access was likely scoped based on the permissions granted to the Salesloft Drift Connected App.
- **Defense Evasion:** The actor demonstrated operational security awareness by deleting relevant query jobs.
- **Credential Access:** Searched exfiltrated data within Salesforce objects for sensitive secrets (AWS keys, Snowflake tokens).
- **Discovery:** Executed SOQL queries against standard Salesforce objects (`Account`, `Opportunity`, `User`, `Case`) to map data structures.
- **Lateral Movement:** Limited to moving between accessible Salesforce objects.
- **Collection:** Exported data from standard and custom Salesforce objects.
- **Exfiltration:** Data export occurred via the established, authenticated connection associated with the OAuth tokens.
- **Impact:** Broad data theft with a specific focus on harvesting credentials for potential secondary compromises.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Large volumes of corporate data exfiltrated; highly sensitive credentials (AWS keys, Snowflake tokens) obtained, posing significant risk for downstream enterprise compromise.
- **Operational:** Minimal direct operational disruption described, though customers must dedicate resources to remediation.
- **Reputational:** Potential impact stemming from the widespread nature of the data theft campaign.
## Indicators of Compromise
- **Network indicators (Defanged IP Addresses):**
- DigitalOcean: `208.XXX.XXX.XXX`
- Amazon Web Services: `44.XXX.XXX.XXX`
- Tor exit nodes (numerous examples provided, e.g., `154.XXX.XXX.XXX`, `185.XXX.XXX.XXX` ranges)
- **File indicators:** N/A (Fileless execution implied via API/OAuth access)
- **Behavioral indicators:**
- User-Agent strings: `Salesforce-Multi-Org-Fetcher/1.0`, `Salesforce-CLI/1.0`, `python-requests/2.32.4`, `aiohttp/3.12.15`.
- Execution of SOQL queries to count objects and extract user/case information.
## Response Actions
- **Containment:** Salesloft and Salesforce collaborated to revoke all active access and refresh tokens associated with the Drift application on Aug. 20, 2025.
- **Eradication:** Salesforce removed the Drift application from the AppExchange.
- **Recovery:** Impacted organizations were urged to:
- Search Salesforce objects for exposed secrets (`AKIA`, `Snowflake`, `password`, etc.).
- Revoke compromised API keys and rotate credentials found within the stolen data.
- Review Event Monitoring logs and authentication activity from the Drift Connected App.
## Lessons Learned
- Third-party integrations using OAuth represent a significant supply chain risk vector, even if the core platform (Salesforce) is not vulnerable.
- Overly permissive scopes granted to connected applications can maximize the impact of token compromise.
- Attackers utilize seemingly legitimate tool User-Agents to conduct data harvesting.
## Recommendations
- Review and immediately restrict Connected App Scopes, avoiding `full` access where possible, adhering to the principle of least privilege.
- Enforce IP Restrictions on Connected Apps, setting the 'IP Relaxation' policy to 'Enforce IP restrictions'.
- Review and segment user profiles, ensuring the 'API Enabled' permission is granted only via specific Permission Sets, not broad profiles.
- Implement robust auditing of Salesforce Event Monitoring logs, specifically looking for unusual query patterns or activity originating from the Connected App's user context.
- Regularly scan Salesforce data objects for embedded secrets and credentials.
- Consider limiting the lifespan of session tokens for critical integrations to minimize the window of compromise.