Yesterday’s news of the UNC6040 phishing (vishing) campaign targeting Salesforce users has sent shockwaves across industries. Your Salesforce environment, housing invaluable customer data and business intelligence, has never been more attractive to bad actors. This incident serves as a stark reminder: proactive Salesforce security isn’t a luxury; it’s an absolute necessity.
The average business has 57 connected applications.
With that many integrations, it only takes one overlooked vulnerability for attackers to gain a foothold.
A sophisticated hacking group known as UNC6040 targeted Salesforce customers in a highly coordinated phishing campaign—specifically vishing (voice phishing):
Salesforce emphasized the “shared responsibility” security model and issued guidance to help customers better protect themselves.
For more detailed reporting on this breach, see Google’s Threat Intelligence Blog, The Register’s Coverage, and SalesforceBen’s incident analysis post.
Identify any unapproved or suspicious connected apps and deactivate them immediately. Revoke all access tokens, and reach out to authenticated users and verify that each integration is legitimate.
Even though the attackers bypassed MFA, both Salesforce and Google still recommend enabling MFA everywhere—every additional layer of friction helps.
Review user profiles and permissions to ensure no one has more access than necessary. Limit high-risk permissions, such as “Manage Connected Apps” or “Customize Application” to a small group of trusted administrators. Yes, this will generate more ticket requests and overhead, but it dramatically reduces the blast radius if credentials or access has been compromised.
Restricting login access to a whitelist of trusted IPs is one of the most effective countermeasures, but it comes with operational challenges.
If you have remote teams or multiple offices without a VPN, maintaining an accurate IP allowlist can become a full-time job.
Third-party vendors will need to supply static IP addresses and reauthenticate under this new policy. While it’s the most secure option, it may not be practical for every organization.
Use dedicated “integration user” accounts for applications that need API access. This limits the threat surface compared to shared admin credentials.
Keep in mind that some integrations still require individual licensed users (e.g., to track record modifications), so make sure you have a clear inventory of which apps truly benefit from shared integration credentials.
We’re huge fans of Salesforce Shield, specifically everything in the Event Monitoring. Although it doesn’t offer everything you need to ensure protection, this product offers a lot of infrastructure to create robust and ongoing monitoring solutions for your Salesforce instance. It’s not cheap, but compared to the cost of a data breach, both in dollars and reputation, it’s a wise investment.
At Arovy, we understand the sophistication of modern threats. While the details of the UNC6040 attack are still emerging, the patterns of such attacks – often involving credential theft, unauthorized access, and data exfiltration – are precisely what Arovy is engineered to prevent.
These capabilities are included across all of our product tiers. With over 300+ Salesforce customers’ environments analyzed, we've seen the average customer integrate 57 apps.
The UNC6040 attack is a wake-up call. Relying solely on Salesforce’s native security features or taking a reactive approach isn’t enough anymore. You need a dedicated, proactive security solution. Solutions like Arovy are purpose-built to address the unique risks facing Salesforce environments—through continuous monitoring, intelligent alerting, and real-time threat mitigation.
Stay vigilant. Audit your connected apps, tighten permissions, consider IP restrictions where feasible, and invest in ongoing monitoring. And if you haven’t done so already, take a look at how Arovy’s New Application Monitor, New User Monitor, and Event Monitoring capabilities can give you continuous, automated protection.
Let’s work together to keep your Salesforce data safe.