Google Threat Intelligence Group has published new research on UNC6040, a financially motivated threat group specialising in voice phishing (vishing) campaigns. This group has been observed compromising Salesforce instances in Europe and the Americas by tricking employees at various corporations into installing modified Salesforce connected apps in order to steal data.
In all observed cases, the attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.
Vishing is the vector
UNC6040’s operators impersonate IT support via phone, tricking employees into installing modified (not authorised by Salesforce) Salesforce connected apps, often disguised as Data Loader variants. This grants UNC6040 access to sensitive data and facilitates lateral movement into other cloud services and internal corporate networks. This methodology of abusing Data Loader functionalities via malicious connected apps is consistent with recent observations detailed by Salesforce in their guidance on protecting Salesforce environments from such threats.
User manipulation, not vulnerability
It’s crucial to note that attackers exploit end-user trust, not any inherent Salesforce vulnerability. Google’s current assessment indicates that a limited number of organisations were affected as part of this campaign (approximately 20 organisations have been affected). UNC6040’s campaign began months ago and remains active.
UNC6040 is described as opportunistic by Google’s experts, and targeting has ranged across hospitality, retail, education, and various other sectors across the Americas and Europe.
Extortion activities sometimes emerge months after the initial intrusion, which could suggest that UNC6040 has partnered with a second threat actor that monetises access to the stolen data.
UNC6040 has been observed claiming affiliation with groups like ShinyHunters during extortion attempts, likely to amplify pressure on victims.
Google’s intel suggests UNC6040’s infrastructure and TTPs overlap with The Com ecosystem, which is a loose collective of cybercriminals (UNC3944 / Scattered Spider is part of this same ecosystem).
GTIG observed UNC6040 using Okta phishing panels, directly requesting MFA codes, and leveraging Mullvad VPN IPs for data exfiltration.
You can read the Salesforce guidance here.
