According to the advisory, the campaign specifically targets environments where three conditions exist. These include instances with guest profiles having excessive object or field permissions, organization-wide default access for external users is not set to private, and guest users are allowed to access public APIs. These conditions allow attackers to query data through Experience Cloud guest profiles.
Why Salesforce environments make tempting targets
Salesforce deployments are particularly attractive because of the sensitive data they hold and the complexity of their access models.
“Salesforce instances often contain highly sensitive customer data, including credentials and secrets that can be used for lateral movement,” said Vincenzo Lozzo, CEO and cofounder of SlashID. At the same time, he added, the platform’s layered permissions architecture, including profiles, permissions sets, sharing rules, and integrations, which are not very well understood and can make accidental overexposure easy.
