Google Threat Intelligence Group (GTIG) has issued an advisory concerning a broad data theft operation targeting corporate Salesforce instances via the Drift integration.
Beginning as early as August 8, 2025, UNC6395 leveraged valid access and refresh tokens associated with the Salesloft Drift app to connect as an authenticated connected app user, executing large-scale SOQL queries to export records from key Salesforce objects, including Accounts, Opportunities, Users, and Cases.
Upon exfiltration, the threat actor performed in-place searches for sensitive material—such as AWS access keys (AKIA), passwords, and Snowflake tokens—within the stolen data.
Although UNC6395 deleted its query jobs to hinder detection, Salesforce event logs remained intact, enabling organizations to trace the activity.
Salesloft clarified that only customers integrating with Salesforce via Drift were impacted, and Google Cloud customers without that integration face no known exposure.
However, any organization using Drift should verify their Salesforce objects for Google Cloud Platform service account keys and other secrets that might have been captured.
Threat Actor Tactics and Queries
UNC6395 demonstrated operational security awareness by wiping query audit trails while maintaining stealth. GTIG observed the actor routinely running SOQL count queries, as illustrated below, before drilling into detailed exports:
| SOQL Query | Purpose |
| SELECT COUNT() FROM Account; | Gauge total Account records |
| SELECT COUNT() FROM Opportunity; | Gauge total Opportunity records |
| SELECT COUNT() FROM User; | Gauge total active Users |
| SELECT COUNT() FROM Case; | Gauge total Case records |
| Detailed User export with 20 records | Harvest user metadata |
| Case export limited to 10,000 records | Harvest case records for analysis |
By first enumerating object sizes, the actor identified high-value targets and then executed targeted queries, such as retrieving the most recently active users and detailed case fields, to maximize secret recovery.
Coordination and Remediation Steps
On August 20, 2025, Salesloft and Salesforce revoked all active Drift tokens and removed the application from AppExchange pending investigation. This incident did not stem from a flaw in Salesforce’s core platform.
GTIG, Salesloft, and Salesforce have notified impacted organizations. Affected customers should treat their Salesforce data as compromised and immediately:
- Rotate and Revoke Credentials
Revoke exposed API keys, rotate all AWS and Snowflake credentials, and reset user passwords. - Investigate and Scan for Secrets
- Review Event Monitoring logs for unusual Drift-connected app activity.
- Search for IOCs including Tor exit-node IPs and custom User-Agent strings.
- Scan Salesforce objects for keywords like “AKIA,” “snowflakecomputing.com,” “password,” and use tools such as Trufflehog to detect hardcoded secrets.
- Harden Connected App Controls
- Apply least-privilege scopes to the Drift Connected App.
- Enforce IP restrictions and define login IP ranges.
- Limit session durations via session timeout settings.
- Remove “API Enabled” permissions from broad profiles and assign via permission sets only to authorized users.
Additional guidance and updates are available on the Salesloft Trust Center and Salesforce’s advisory pages. Continuous monitoring and rapid credential rotation remain critical to mitigate the ongoing risk posed by UNC6395.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
