Google’s Threat Intelligence Group (GTIG) has published a comprehensive guide to help organizations strengthen their SaaS security posture—particularly Salesforce—against UC6040’s sophisticated voice-phishing and malicious connected-app attacks.
By combining identity hardening, SaaS-specific controls, and advanced logging and detection, security teams can significantly reduce the risk of credential compromise and large-scale data exfiltration.
Protecting software-as-a-service (SaaS) platforms demands a layered approach focused on people, processes, and technology.
Drawing on UNC6040’s addressed success in vishing campaigns against Salesforce customers, Google’s guide outlines a three-pronged defensive framework: proactive hardening measures, comprehensive logging protocols, and targeted detection capabilities.
Although Salesforce is the primary focus, many recommendations apply across any SaaS ecosystem relying on centralized identity providers such as Okta, Microsoft Entra ID Adds Passkey (FIDO2) Support in Public Preview, or Google Cloud Identity.
UNC6040 specializes in voice phishing against English-speaking branches of multinational firms. Operators impersonate IT support personnel in convincing phone calls, tricking employees into approving a malicious connected app—a counterfeit version of Salesforce’s Data Loader.
Once authorized, attackers can query and exfiltrate sensitive records directly via the connected app’s API credentials. Notably, UNC6040 never exploits Salesforce code vulnerabilities; every intrusion hinges on social engineering and misuse of legitimate platform features.
In several cases, extortion surfaced months after initial access—suggesting partnerships with other threat actors (e.g., ShinyHunters) who monetize stolen data through ransom demands.
Attackers also pivot laterally, using harvested credentials to target other cloud services (Okta, Microsoft 365) from the same VPN or Tor-exit IPs.
Proactive Hardening Recommendations
1. Identity Verification and Protections
Implement positive identity proofing to thwart social engineering. Require live video calls with corporate badge or government-issued ID checks, cross-referencing employee records.
For high-risk requests (MFA resets, privileged password changes), enforce out-of-band verification via manager approval or call-backs to corporate phone numbers.
Avoid easily compromised identifiers (DOB, last four of SSN, supervisor names).
Instead, adopt phishing-resistant MFA (FIDO2 keys) and enforce Single Sign-On (SSO) through corporate IdPs. Restrict access based on device posture: domain-join status, valid host certificates, approved OS versions, and active EDR agents.
2. SaaS Application Hardening
For Salesforce instances, tighten network and API access controls:
- Enforce login IP ranges at profile level, blocking off-corp access even with valid credentials.
- Switch to a “deny by default” posture for connected apps; maintain a minimal allowlist of vetted applications.
- Grant the “API Enabled” permission only via controlled permission sets and disable native accounts in favor of SSO.
- Implement least-privilege profiles and permission sets; hide the Setup menu from non-admins.
- Leverage row-level restriction and private organization-wide defaults (OWD) to minimize data exposure.
Logging and Detection Capabilities
To spot UNC6040’s “approve → drain” pattern, ingest Salesforce Shield and Event Monitoring logs into your SIEM. Key log sources include Login History, Setup Audit Trail, Bulk API results, and API event streams. Enable real-time streaming (RTEM) for rapid alerting, and schedule regular batch exports for historical analysis.
- OAuth → Data Exfiltration within 10 minutes: Flag suspicious connected-app authorizations followed by bulk downloads or high-volume SOQL queries by the same user from non-corporate IPs.
- OAuth → Lateral Movement: Correlate Salesforce OAuth successes with subsequent Okta or Microsoft 365 logins from the same risky egress IP within one hour.
- REST API Pagination Bursts & Large Report Exports: Identify query bursts and oversized report downloads by non-integration accounts.
Maintain and tune reference lists—known integration users, corporate egress CIDRs, and approved connected-app names—to minimize noise. Suppress rules during sanctioned data migrations or vendor onboarding events.
By integrating these hardening measures, SaaS-specific configuration controls, and advanced detection rules, organizations can build a resilient defense against UNC6040 and similar social engineering threat clusters.
Google’s guide provides actionable steps that elevate assurance across identity, application hardening, and continuous monitoring—helping security teams stay ahead of evolving vishing and data-theft techniques.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
