Salesforce security continues to be in the spotlight with Google’s Threat Intelligence Group's (GTIG) recent alert about the widespread data theft campaign led by the actor UNC6395. Unlike the recent string of Salesforce vishing attacks, this campaign takes a different approach—exploiting compromised OAuth tokens from the Salesloft Drift application to steal sensitive credentials such as AWS access keys, passwords, and Snowflake tokens.
This kind of OAuth token risk presents a serious challenge for security teams: once tokens are compromised, attackers can bypass traditional login protections and move deeper into Salesforce and connected applications.
Across industries, customers are asking the same urgent questions: “
Are we at risk?” and “How do we prevent and monitor for this type of attack across all Salesforce apps?”
Below, we'll recap our recent webinar with Jack McGlinchey and Brian Olearczyk where they broke down the details of the Salesloft Drift attack, explained what it means for Salesforce security, and shared practical steps your team can take to detect and defend against evolving threats.
— Jack McGlinchey, CEO & Co-founder, Arovy
When there's a single point of failure, attacks are almost always more effective. In the case of the Drift breach, the compromise of its OAuth token table granted attackers access to every customer’s tokens, a clear example of how fragile such dependencies can be.
Similar risks are seen in vishing attacks, where administrators hold so much control that they can unintentionally bypass security measures. These issues are not always about user education or hiring stronger people. In many cases, they stem from integrations and processes that lack proper verification and oversight. The lesson here is that preventing such attacks requires building in checks and balances, with real-time monitoring and observability across integrations.
Vishing hinges on social engineering to win authorizations. In this case, the weak point was compromised OAuth tokens tied to the provider’s Drift integration—not user training. The remedy is verification and oversight of integrations with real-time monitoring and observability.
The common pattern is concentrated privilege without sufficient checks—whether that’s an over-powerful admin path (vishing) or a vendor’s token table (this incident). One gate with too much power expands the blast radius.
— Jack McGlinchey, CEO & Co-founder, Arovy
An important safeguard to highlight is working with vendors that support static IP addresses. Salesforce makes it possible to configure trusted IPs for specific integration users, which could have helped prevent this attack since the hackers were accessing data from different IP addresses. While Salesforce provides this capability out of the box, not all vendors do. AWS, for example, requires additional setup. Still, it’s an extra layer of security we strongly recommend.
Beyond that, Salesforce Shield’s Event Monitoring add-on is critical. Without it, there’s no way to determine the scope of an attack or even confirm if you were impacted. You can check whether Drift was integrated, but without Event Monitoring, you won’t know what data was accessed, taken, or updated—you’re essentially flying blind. That’s why we stress the importance of having Event Monitoring in place.
A live data dictionary provides the context needed during and after an incident—what data moved, how sensitive it was, and who owns it—while aligning teams on terms and calculations.
Add multiple layers of observability on top of native logs—continuous monitoring of connected apps, integration behavior, and permission drift—so single-point failures don’t go unnoticed and consent/token anomalies surface fast; for example, Arovy Application Security Monitoring provides real-time detection and alerts tailored to connected-app activity
— Brian Olearczyk, CRO, Arovy
A data dictionary is essential because it provides the context needed to understand and investigate incidents. It helps you trace which applications may have accessed specific data, confirm whether that data was sensitive, and determine what security controls should be applied. The key is that your data dictionary must persist and remain accurate over time. Without one, you’re missing a critical foundation. At Arovy, we provide this capability, but regardless of how you approach it, having a reliable data dictionary is non-negotiable.
Beyond that, reducing risk also requires multiple levels of observability. As Jack mentioned, too many single points of failure exist across operating environments, and attackers have already exploited them in different ways. Observability, through tools like Salesforce Event Monitoring and additional solutions that make it easier to interpret and manage connected apps, is vital to closing those gaps.