FBI Releases IOCs on Cyber Threats Exploiting Salesforce for Data Theft

The Federal Bureau of Investigation (FBI) has released a detailed flash advisory disclosing indicators of compromise (IOCs) and tactics used by two cybercrime groups—UNC6040 and UNC6395—to breach Salesforce customer environments and siphon sensitive data.

Coordinated with the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS/CISA), the bulletin aims to equip security teams and system administrators with actionable intelligence to detect, investigate, and thwart these sophisticated campaigns.

Since October 2024, UNC6040 has relied heavily on social engineering voice phishing (vishing) to dupe call center staff into granting access to Salesforce accounts.

Posing as IT support representatives, attackers guide victims through closing a purported service ticket and coax them into sharing credentials or multifactor authentication (MFA) codes.

In many cases, the threat actors direct victims to Salesforce’s connected app setup page, tricking them into authorizing a fake Data Loader application.

Once approved, the ...