Executive Summary
A widespread, opportunistic data theft campaign against Salesforce, attributed to the group UNC6395, has expanded in scope beyond initial reports. The attacks leverage compromised OAuth tokens from Salesloft Drift, an AI chat agent, to gain unauthorized access to customer instances of various services, including Salesforce and Google Workspace. Cybersecurity firms Zscaler and Palo Alto Networks have publicly confirmed impact, with data stolen from their Salesforce environments including business contact information and support case details.
Analysis
The attack campaign, tracked by Google as UNC6395, exploits a supply chain vulnerability stemming from a compromise of the Salesloft Drift platform. Salesloft Drift is an AI chat agent designed to integrate platforms such as Salesforce to automate sales and marketing communication. Threat actors stole OAuth tokens associated with Salesloft Drift integrations, which were then used to bypass traditional authentication and gain unauthorized access to customers’ downstream services.
The attack chain involves compromising Salesforce instances to exfiltrate a wide range of sensitive data, including:
- Names
- Business email addresses
- Job titles
- Phone numbers
- Regional/location details
- Zscaler product licensing and commercial information
- Content from certain support cases
This stolen data is then actively scanned for credentials, such as AWS access keys and VPN passwords, to facilitate further lateral movement and expansion of the attack.
A key technical aspect is that the attackers are actively targeting Salesforce APIs, specifically _layouts and _api endpoints, to programmatically exfiltrate data from various Salesforce objects such as Account, Contact, Case, and Opportunity records. By abusing these API connections, they can bypass standard user-facing security controls. The use of stolen session tokens demonstrates a sophisticated understanding of OAuth flows, allowing UNC6395 to persist in compromised environments and execute data dumps without the need for repeated authentication.
The compromise of a major vendor like Salesloft, with integrations across multiple platforms, creates a significant blast radius, affecting a large number of downstream customers.
Mitigation Options
Organizations that use any Salesloft Drift integration are now advised to treat all associated authentication tokens as compromised and to immediately revoke and rotate credentials.
