UNC6040: Salesforce Voice Phishing (Vishing) Attacks: What You Need to Know

Introduction

Yesterday’s news of the UNC6040 phishing (vishing) campaign targeting Salesforce users has sent shockwaves across industries. Your Salesforce environment, housing invaluable customer data and business intelligence, has never been more attractive to bad actors. This incident serves as a stark reminder: proactive Salesforce security isn’t a luxury; it’s an absolute necessity.

The average business has 57 connected applications.

With that many integrations, it only takes one overlooked vulnerability for attackers to gain a foothold. 

What Happened?

A sophisticated hacking group known as UNC6040 targeted Salesforce customers in a highly coordinated phishing campaign—specifically vishing (voice phishing):

• Attackers posed as IT support over the phone, calling employees at 20+ enterprise organizations across the U.S. and Europe.
  
  
• They tricked victims into installing a modified version of Salesforce’s Data Loader that siphoned off sensitive data.
  
  
• Employees were also coaxed into OAuth authentication, including MFA, through Salesforce’s connected apps setup.
  
  
• Once inside, attackers exfiltrated CRM data, later sold with the help of data brokers like ShinyHunters.

Salesforce emphasized the “shared responsibility” security model and issued guidance to help customers better protect themselves.

For more detailed reporting on this breach, see Google’s Threat Intelligence Blog, The Register’s Coverage, and SalesforceBen’s incident analysis post.

What You Should Do Today

1. Audit Connected Apps & User Permissions

Identify any unapproved or suspicious connected apps and deactivate them immediately. Revoke all access tokens, and reach out to authenticated users and verify that each integration is legitimate.

2. Enforce MFA

Even though the attackers bypassed MFA, both Salesforce and Google still recommend enabling MFA everywhere—every additional layer of friction helps.

3. Ensure Least-Privilege Access

Review user profiles and permissions to ensure no one has more access than necessary. Limit high-risk permissions, such as “Manage Connected Apps” or “Customize Application” to a small group of trusted administrators. Yes, this will generate more ticket requests and overhead, but it dramatically reduces the blast radius if credentials or access has been compromised. 

What You Should Consider Next

1. IP-Based Restrictions: 

Restricting login access to a whitelist of trusted IPs is one of the most effective countermeasures, but it comes with operational challenges. 

If you have remote teams or multiple offices without a VPN, maintaining an accurate IP allowlist can become a full-time job.

Third-party vendors will need to supply static IP addresses and reauthenticate under this new policy. While it’s the most secure option, it may not be practical for every organization.

2. Integration Users

Use dedicated “integration user” accounts for applications that need API access. This limits the threat surface compared to shared admin credentials. 

Keep in mind that some integrations still require individual licensed users (e.g., to track record modifications), so make sure you have a clear inventory of which apps truly benefit from shared integration credentials.

3. Salesforce Shield & Event Monitoring

We’re huge fans of Salesforce Shield, specifically everything in the Event Monitoring. Although it doesn’t offer everything you need to ensure protection, this product offers a lot of infrastructure to create robust and ongoing monitoring solutions for your Salesforce instance. It’s not cheap, but compared to the cost of a data breach, both in dollars and reputation, it’s a wise investment.

How Arovy Would Have Prevented This Attack

At Arovy, we understand the sophistication of modern threats. While the details of the UNC6040 attack are still emerging, the patterns of such attacks – often involving credential theft, unauthorized access, and data exfiltration – are precisely what Arovy is engineered to prevent.

Three key detection points:

1. New Application Monitor

   • Any new connected app that suddenly appears, or an existing app requesting expanded scopes, is detected and triggers an alert.
   • In this case, the malicious Data Loader would have been flagged the moment it tried to register as a connected app.

1. New User Monitor

   • Unexpected user authentications, especially OAuth logins from non-standard IP addresses, generate real-time alerts.

1. Event Monitoring

   • Since Arovy ingests Salesforce Shield events, it would spot irregular data-exfiltration patterns (e.g., hundreds of records being mass-exported by a Data Loader instance).
   • Correlating these anomalies with the connected-app alerts would provide a clear signal that an active data theft was underway.

Protection Available Across All Arovy Product Tiers

These capabilities are included across all of our product tiers. With over 300+ Salesforce customers’ environments analyzed, we've seen the average customer integrate 57 apps.

Final Thoughts

The UNC6040 attack is a wake-up call. Relying solely on Salesforce’s native security features or taking a reactive approach isn’t enough anymore. You need a dedicated, proactive security solution. Solutions like Arovy are purpose-built to address the unique risks facing Salesforce environments—through continuous monitoring, intelligent alerting, and real-time threat mitigation.

Stay vigilant. Audit your connected apps, tighten permissions, consider IP restrictions where feasible, and invest in ongoing monitoring. And if you haven’t done so already, take a look at how Arovy’s New Application Monitor, New User Monitor, and Event Monitoring capabilities can give you continuous, automated protection.

Let’s work together to keep your Salesforce data safe.