In recent months, cybercriminals have ramped up voice phishing (vishing) attacks targeting cloud-based SaaS platforms. Google’s Threat Intelligence Group (GTIG) has identified a financially motivated cluster called UNC6040 that specializes in vishing campaigns against Salesforce environments. In these scams, attackers impersonate IT support staff during convincing phone calls, tricking employees-often English-speaking staff at multinational firms-into disclosing credentials or authorizing access. Crucially, none of the incidents involved a direct Salesforce vulnerability; rather, the success came from exploiting employee trust and common workflows.
UNC6040 operators typically convince victims to visit Salesforce’s Connected Apps page and approve a malicious application. This app is a spoofed version of Salesforce’s Data Loader (a legitimate bulk data import tool), rebranded with a benign name (e.g. “My Ticket Portal”) to avoid suspicion. As described by Google, approving the fake Data Loader “inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments”. In practice, the attackers guide the target to log into Salesforce’s setup/connect page and enter a special connection code. This links the attacker-controlled Data Loader to the organization’s CRM instance. Once the app is installed, hackers can run bulk queries and export large volumes of data from Salesforce -essentially gaining full read/write access via the connected app.
Data Exfiltration and Extortion
The result of the vishing scam is often massive data theft. For example, Reuters reported that hackers behind UNC6040 tricked employees into installing the bogus app, “allowing the hackers to steal reams of data, gain access to other corporate cloud services and extort those companies”. Indeed, Google observed that after the initial Salesforce breach, UNC6040 moved laterally within victim networks. They used the same compromised credentials or access to exfiltrate data from other platforms like Okta and Microsoft 365. In one typical sequence, the group immediately downloaded Salesforce customer data, then later targeted additional cloud services once inside the network.
The stolen data is then leveraged for ransom demands. In many cases, victims heard nothing of the breach for months-sometimes until a supposedly notorious “ShinyHunters” extortion group surfaced, claiming to have the data. Google notes that “extortion activities haven’t been observed until several months after the initial UNC6040 intrusion,” suggesting a secondary actor took over to monetize the haul. In these late-stage scams, attackers have indeed impersonated ShinyHunters, demanding payment in exchange for not leaking or selling the stolen information. HelpNetSecurity reports that the ultimate goal of these operations is “to exfiltrate sensitive data, which is then used to attempt to extort money from the victim organization”.
The Broader Threat Landscape
While the UNC6040/Salesforce scheme is novel, it highlights a wider shift in cyber threats. Security vendors and analysts emphasize that social engineering and cloud abuse are on the rise. Salesforce’s own security team warns that attackers “employ various social engineering tactics, including voice phishing,” to trick users into credential theft or installing malicious connected apps. In one illustration, Salesforce noted that customers have been lured to the login.salesforce.com/setup/connect page to add a fraudulent app – often a renamed Data Loader – which the threat actor then uses to siphon data. Attackers are effectively weaponizing legitimate cloud features (like OAuth-connected apps) against users. As one report explains, the app “supports OAuth” and attackers abuse this by persuading victims to enter a connection code, thus linking the attacker’s app to the customer’s Salesforce environment.
This tactic -“consent phishing” via OAuth -is increasingly common across cloud platforms. Similar phone-based scams have surfaced targeting Microsoft 365 and Google Workspace. Industry experts warn that these schemes are likely to become even more sophisticated. For example, a recent trends report predicts that AI and deepfake technology will enable even more convincing social engineering attacks. As one security leader notes, “AI, including [LLMs] and deepfake technologies, will become central in enabling more convincing social engineering, fraudulent schemes, and account takeover attacks”. Attackers have already used AI-generated voice and video to impersonate CEOs and trick employees. The UNC6040 vishing exemplifies this trend: as defenses improve, criminals are blending old tactics (phone scams) with new vectors (cloud APIs) to breach systems.
Industry Impacts
Different sectors face unique risks from these attacks:
- Healthcare & Life Sciences: Hospitals, clinics and health tech companies hold protected health data under HIPAA (and often under GDPR). Many use cloud CRM and patient portals, so a Salesforce breach could expose medical records, patient contact information, and telehealth logs. Beyond privacy violations, such leaks can endanger patient safety and invite heavy fines. COE Security notes that healthcare is a high-risk sector that requires strict data protection and compliance (e.g. HIPAA).
- Finance & Fintech: Banks, insurers and fintech platforms rely on Salesforce for customer data and transaction workflows. A breach here can reveal personal financial records, credit histories or even payment details. This sector is also governed by regulations like PCI DSS, GLBA and GDPR. Any data theft could trigger identity theft risks and compliance penalties. COE emphasizes that financial institutions must follow frameworks (GDPR, PCI DSS) which are now part of its compliance offerings.
- SaaS and Cloud Companies: Paradoxically, cloud and SaaS firms-including software vendors and tech startups-are also prime targets. They use cloud tools heavily and often have sensitive R&D or customer data in Salesforce. A breach can damage trust, expose intellectual property, and even compromise the data of their own clients. COE highlights that “cloud-native companies and SaaS providers” face elevated threats. These organizations must guard against any misuse of their own systems as attackers breach one customer after another.
- Retail & eCommerce: Retailers use Salesforce (e.g. Marketing Cloud, Commerce Cloud) to manage customer profiles and sales data. A successful vishing attack can expose millions of consumer records-including payment card information or loyalty account details-placing the company at risk under PCI DSS and consumer protection laws. Leaked sales or inventory databases can also disrupt operations. As COE notes, compliance with regulations like GDPR (for EU customers) and PCI DSS (for payment data) is critical for retail chains.
- Technology & Telecommunications: Large tech and telecom firms hold vast user data and often run on complex cloud infrastructures. The telecommunications sector, in particular, is heavily regulated (e.g. DPDPA/PIPA in some countries). Attackers targeting Salesforce in these industries could gain entry to internal networks or customer-subscription systems. COE explicitly lists telecommunications/IT as a high-risk vertical. In short, any industry relying on cloud CRMs must be alert: customer data breaches undermine consumer trust and can incur serious legal and financial fallout.
Defending Against Vishing and Extortion
Organizations can mitigate these threats through layered defenses and policies:
- Zero Trust and Access Control: Enforce least-privilege access and network segmentation for all cloud resources. For Salesforce, apply restrictions like IP login ranges so only corporate/VPN addresses are allowed. Require that users have the minimum permissions they need (“no more, no less”). These Zero Trust measures limit what an employee-or an attacker posing as one-can do if phished.
- Multi-Factor Authentication (MFA): Require strong, phishing-resistant MFA for all Salesforce and cloud logins. Even if a user is fooled into sharing credentials on a call, an extra factor (especially hardware keys or app-based prompts) can block unauthorized access. MFA should be enforced for administrative and high-privilege accounts at minimum.
- Employee Training and Awareness: Educate staff constantly about vishing and social engineering. Simulated phishing campaigns and training sessions help employees recognize red flags (e.g. unsolicited support calls). COE Security highlights security awareness training as a core service. Well-trained users are less likely to blindly install unknown apps or divulge MFA codes to callers.
- Incident Response Planning: Develop and exercise an incident response plan specifically for cloud breaches. Ensure teams can quickly detect unusual Salesforce activity (like bulk data exports) and can revoke malicious app approvals on the fly. COE notes that incident response readiness and remediation planning is essential. Regular drills and predefined escalation procedures help contain damage if vishing succeeds.
- Regulatory Compliance and Auditing: Maintain compliance with relevant frameworks (GDPR, HIPAA, PCI DSS, etc.) and audit cloud configurations frequently. As COE states, consulting on GDPR, HIPAA, PCI DSS, DPDPA and other laws is a key offering. Compliance programs force organizations to map and protect sensitive data, often uncovering gaps. Regular vulnerability assessments, penetration tests, and privacy audits can identify flaws in cloud setups before attackers do.
Conclusion
The UNC6040 campaign illustrates a powerful new twist on social engineering: using trusted cloud tools to turn employee goodwill into a data breach. By impersonating IT staff and installing a fake Salesforce Data Loader app, attackers have exfiltrated customer and business data from major organizations, then used it for extortion. This growing threat affects all industries that rely on SaaS and cloud CRMs — from healthcare and finance to retail and tech. The good news is that these attacks prey on human and configuration weaknesses, not on unpatched software bugs. In practice, this means that strong controls (Zero Trust access, MFA, least privilege), comprehensive employee training, and robust incident response can significantly reduce risk. In summary, organizations must treat these vishing schemes as a wake-up call: reinforce cloud security and user vigilance now, before a clever phone call leads to a costly breach.
About COE Security
At COE Security, we empower organizations to prevent breaches before they happen and respond with confidence when they do. We offer end-to-end cybersecurity and compliance services tailored to industries at greatest risk. Our focus areas include telecommunications and IT service providers, healthcare and life sciences, financial institutions and fintech companies, legal and consulting firms, as well as cloud-native and SaaS businesses. COE’s services span data protection and privacy audits, regulatory compliance consulting (covering GDPR, HIPAA, PCI DSS, DPDPA and more), vulnerability assessments and penetration testing, security awareness training, and incident response planning.
Follow COE Security on LinkedIn to stay updated with the latest threat insights, best practices, and security strategies that will keep your organization resilient.