A sophisticated data exfiltration campaign targeting corporate Salesforce instances has exposed sensitive information from multiple organizations through compromised OAuth tokens associated with the Salesloft Drift third-party application.
The threat actor, designated as UNC6395, systematically harvested credentials and sensitive data between August 8-18, 2025, demonstrating advanced operational security awareness while executing SOQL queries across numerous Salesforce objects.
Key Takeaways
1. UNC6395 used compromised Salesloft Drift OAuth tokens to access Salesforce instances .
2. Harvested AWS keys, Snowflake tokens, and passwords from Salesforce data.
3. All Drift tokens revoked; organizations must rotate credentials.
The campaign represents a significant supply chain attack vector, exploiting the trust relationship between Salesforce instances and integrated third-party applications.
UNC6395 leveraged legitimate OAuth authentication mechanisms to gain unauthorized access, bypassing traditional security controls and making detection particularly challenging for affected organizations.
OAuth Token Exploitation
Google Threat Intelligence Group reported that the threat actor utilized compromised OAuth access tokens and refresh tokens from the Salesloft Drift application to authenticate against target Salesforce instances.
This attack vector exploited the OAuth 2.0 authorization framework, which allows third-party applications to access Salesforce data without exposing user credentials directly.
UNC6395 executed systematic SOQL (Salesforce Object Query Language) queries to enumerate and extract data from critical Salesforce objects including Cases, Accounts, Users, and Opportunities.
The actor demonstrated technical sophistication by running COUNT queries to assess data volumes before exfiltration:
Salesloft stated that the attacker specifically targeted AWS access keys (AKIA identifiers), passwords, Snowflake credentials, and other sensitive authentication materials stored within Salesforce custom fields and standard objects.
Post-exfiltration analysis revealed the actor searched extracted data for patterns matching credential formats, indicating a primary objective of credential harvesting rather than traditional data theft.
Mitigatons
Salesforce and Salesloft responded by revoking all active OAuth tokens associated with the Drift application on August 20, 2025, effectively terminating the attack vector.
The Drift application was subsequently removed from the Salesforce AppExchange pending a comprehensive security review.
Organizations using the Salesloft Drift integration should immediately implement several remediation measures.
Event Monitoring logs should be reviewed for suspicious UniqueQuery events and authentication anomalies associated with the Drift connected app.
Security teams must scan Salesforce objects for exposed secrets using tools like TruffleHog and search for patterns including “AKIA”, “snowflakecomputing[.]com”, and generic credential references.
Connected app permissions require immediate hardening through scope restriction, IP address restrictions, and implementation of the principle of least privilege.
The “API Enabled” permission should be removed from user profiles and granted selectively through Permission Sets to authorized personnel only.
Session timeout configurations in Session Settings should be optimized to limit exposure windows for compromised credentials.
This incident highlights the crucial importance of securing third-party integration and the necessity for continuous monitoring of OAuth-enabled applications with access to sensitive corporate data repositories.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
