The FBI has raised alarms about two advanced persistent threat groups, UNC6040 and UNC6395, that are actively exploiting Salesforce environments. These groups are using sophisticated tactics to infiltrate organizations, harvest sensitive information, and potentially compromise broader ecosystems that rely on Salesforce for customer relationship management.
What the FBI Found
Both groups have been observed using spear phishing campaigns and malicious attachments to gain unauthorized access to Salesforce accounts. Once inside, attackers attempt to exfiltrate sensitive customer records, trade secrets, and financial information. What makes these attacks especially concerning is the abuse of third-party integrations, which can expand the blast radius and give attackers wider access to corporate systems.
The FBI has stressed that the campaigns are ongoing, highly organized, and targeted at industries that store large volumes of personal and business data. The advisory highlights that these attacks could result in both operational disruption and reputational damage.
Why Salesforce Has Become a Target
Salesforce is one of the most widely used cloud platforms across industries. From banking and healthcare to retail and technology, organizations depend on it for customer data management, sales tracking, and core business workflows. This makes it an attractive target for attackers who understand that breaching a Salesforce environment can provide access to critical data that drives business operations.
By focusing on a platform that underpins customer trust, attackers aim to not only steal information but also weaken business resilience. A single breach could have a ripple effect across supply chains, regulatory compliance, and customer confidence.
Key Risks for Organizations
- Data Theft – Customer records, financial details, and sensitive communications may be exposed.
- Regulatory Consequences – Breaches could trigger penalties under GDPR, HIPAA, PCI DSS, or other frameworks.
- Operational Disruption – Unauthorized access to Salesforce integrations could slow or halt critical processes.
- Ecosystem Vulnerability – Attackers may pivot from Salesforce into other connected systems.
Recommended Actions
- Strengthen identity and access management across Salesforce and all cloud services.
- Implement multi-factor authentication for all users, especially administrators.
- Continuously monitor Salesforce environments for unusual or unauthorized activity.
- Audit and secure third-party integrations to prevent lateral movement.
- Conduct regular compliance and security posture assessments.
- Educate employees to recognize phishing attempts and social engineering.
Conclusion
The FBI’s warning is a stark reminder that even trusted SaaS platforms are prime targets for advanced threat actors. Organizations cannot rely solely on the security controls of cloud providers. A proactive, layered defense strategy is critical to protect sensitive data, maintain compliance, and uphold customer trust. Those who act now to strengthen their Salesforce defenses will be better positioned to withstand future attacks.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed cybersecurity best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
We help enterprises protect cloud and SaaS infrastructures, secure customer data in Salesforce accounts, defend against advanced persistent threats, and ensure compliance with global regulations. By combining technical expertise with industry-specific knowledge, COE Security strengthens resilience against the latest cyber challenges.
Follow COE Security on LinkedIn for ongoing insights into cloud security, data theft prevention, and resilient cybersecurity strategies.