Threat Actors Breach High-Value Targets in Salesforce Attacks
September 2nd, 2025
Critical
Salesforce environments have become increasingly valuable targets for cybercriminals and advanced persistent threat (APT) groups. As organizations rely on Customer Relationship Management (CRM) platforms to handle complex, sensitive business and client data, adversaries view CRM’s as an opportunity for data theft and fraud. Recent intelligence highlights a widespread campaign exploiting OAuth tokens linked to the Salesloft Drift integration, allowing threat actors to execute unauthorized SOQL queries and extract data on a large scale. Although there is no evidence of compromise to the core Salesforce platform, the incident emphasizes the risks of overly permissive third-party integrations and misconfigurations that bypass traditional security measures.
Technical Details
Vulnerability Type: Misconfigurations, credential/token abuse, insecure integrations, and overly permissive OAuth scopes.
Severity: Critical.
Initial Access: Abuse of OAuth tokens tied to Drift; tokens granted extensive Salesforce object permissions.
API Exploitation: Unauthorized REST/SOQL queries used to enumerate and extract data, including Users, Accounts, Opportunities, and Cases.
Persistence: Tokens remained valid until revoked; Drift tokens were mass-revoked by Salesforce and Salesloft on Aug 20, 2025.
SOQL Injection: Exploitation of insecure custom apps or integrations to manipulate queries.
Privilege Escalation: Misconfigured permission sets and profiles abused to expand access.
Custom Code Exploitation: Attacks against Apex, Visualforce, and Lightning components.
Workflow Automation Abuse: Hidden flows, jobs, or scheduled processes leveraged for persistence.
Third-Party Application Vulnerabilities: Exploitation of insecure integrations from external vendors.
Impact
Unauthorized API queries allow for large-scale exfiltration of sensitive Salesforce data.
Stolen data sets may include PII, financial records, business workflows, and embedded credentials (e.g., AWS keys, Snowflake tokens).
Exposure increases the risk of account takeovers, business process manipulation, and downstream supply-chain targeting.
Breaches of Salesforce environments can result in significant reputational damage, regulatory penalties, and financial losses.
Salesforce datasets are sold on dark web marketplaces for $50–200 per record, which further incentivizes targeting.
Detection Method
Login & Authentication Anomalies: Monitor for suspicious login times, locations, failed attempts, or reactivated dormant accounts.
OAuth & API Monitoring: Flag long-lived tokens, abnormal API call volumes, or unusual query patterns (e.g., mass COUNT() queries).
Privilege & Configuration Changes: Track unexpected permission modifications, new Connected Apps, or OAuth scopes.
Data Access Monitoring: Watch for abnormal dashboard/report usage or bulk data exports.
Workflow & Automation Abuse: Detect unsanctioned flows, jobs, or background processes.
Third-Party App Activity: Audit integrations requesting excessive permissions.
Behavioral Analytics: Baseline user and admin activity to detect anomalies.
Integration Monitoring: Inspect third-party app connections for unusual or unsanctioned data access.
Indicators of Compromise
IPs | |||
208.68.36.90 | 185.220.101.164 | 179.43.159.198 | 185.220.101.33 |
44.215.108.109 | 185.220.101.167 | 185.130.47.58 | 192.42.116.179 |
154.41.95.2 | 185.220.101.169 | 185.207.107.130 | 192.42.116.20 |
176.65.149.100 | 185.220.101.180 | 185.220.101.133 | 194.15.36.117 |
195.47.238.83 | 185.220.101.185 | 185.220.101.143 | 195.47.238.178 |
Recommendations
Enforce Multi-Factor Authentication (MFA) across all Salesforce accounts.
Harden IAM: Apply least privilege, RBAC, and periodic access reviews.
Secure API/OAuth: Restrict scopes, enforce token lifecycles, apply IP allowlisting, and rate-limit API usage.
Continuous Monitoring: Ingest Salesforce Event Monitoring logs into SIEM for real-time anomaly detection.
Audit Third-Party Apps: Review permissions before deployment; perform recurring audits of Connected Apps.
Data Protection: Implement field-level encryption, DLP policies, and monitoring of sensitive fields.
Salesforce Incident Response: Define playbooks for rapid token revocation, forensic log preservation, and containment.
Employee Training: Deliver Salesforce-specific phishing/social engineering awareness campaigns.
Security Assessments: Regularly test custom code, integrations, and org configurations against Salesforce security best practices.
Conclusion
This campaign shows how adversaries exploit third-party integrations and OAuth trust relationships to target SaaS environments. While Salesforce itself was not directly compromised, attackers successfully used over-permissive Drift tokens to mass-exfiltrate customer data. We urge organizations to go beyond generic SaaS security and implement Salesforce-specific controls such as strict OAuth governance, event monitoring, integration auditing, and strong IAM. Additionally, rigorous auditing of third party plugins and applications is essential to remain fundamentally protected. Creating a Software Bill of Materials (SBOM) can aid in tracking outdated or unused software’s that are often initial access points for attackers. Proactive defense is vital for protecting business continuity, regulatory compliance, and customer trust.