When the Federal Bureau of Investigation (FBI) releases a cybersecurity alert, it is not just another news headline. It is a signal flare to the business world that threat actors have shifted their tactics, and organizations need to take notice. Recently, the FBI issued a FLASH advisory revealing two highly coordinated attack campaigns targeting Salesforce environments. These were not opportunistic hacks or quick smash-and-grab attempts. They were multi-stage operations, carefully planned to exploit the very systems and processes that companies trust most, including human behavior, cloud identity workflows, and third-party integrations.

This advisory not only described the tactics of the attackers but also provided a list of Indicators of Compromise (IOCs). These technical fingerprints serve as clues that help security teams detect if their environments have been targeted or breached. To put it simply, IOCs are the breadcrumbs left behind by intruders. In this blog, we will unpack the details of the attacks, walk through how they unfolded, and explain how the disclosed IOCs can be used to strengthen defense strategies.

Who Were the Attackers?

The FBI attributed the campaigns to two separate groups, each using distinct tactics but working toward the same end goal: unauthorized access to Salesforce instances and the theft of sensitive data.

UNC6040 relied heavily on human manipulation. Their strategy revolved around vishing, or voice phishing, to trick employees into installing malicious apps disguised as legitimate Salesforce tools.

UNC6395 exploited stolen OAuth tokens from a third-party chatbot application, Drift. By hijacking these tokens, the attackers gained access to Salesforce data without ever needing passwords or multi-factor authentication (MFA).

Although the FBI did not officially name the extortion groups, threat intelligence firm, and the attackers themselves have linked the campaigns to ShinyHunters and Scattered Spider.

Both approaches highlight the evolving reality of cybercrime. Attackers are not always breaking down the digital front door. Increasingly, they are walking through the side entrance, exploiting trust in systems, tokens, and employees.

How Did the Attacks Work?

The devil, as the saying goes, is in the details. Let’s break down the attack methods used by these two groups.

UNC6040’s Tactics

1. Attackers impersonated internal IT staff and called help desks.
2. They persuaded employees to install a connected application disguised as a Salesforce utility such as Data Loader.
3. Once installed, the app was granted OAuth access. This step effectively bypassed login alerts and MFA, as the app was now “trusted.”
4. The attackers then used Salesforce’s API to exfiltrate large datasets, often customer records.
5. Victims received extortion emails, with the attackers threatening to leak sensitive data unless a ransom was paid.

This attack shows just how dangerous social engineering can be. Employees believed they were helping IT, but in reality, they had handed over the keys to the kingdom.

UNC6395’s Tactics

1. The group compromised GitHub repositories belonging to Salesloft, the company behind Drift.
2. From these repositories, they stole OAuth tokens that Drift used to integrate with Salesforce.
3. These stolen tokens allowed attackers to access Salesforce support case data without any need for user credentials or MFA.
4. The compromised data included AWS access keys, Snowflake tokens, and other internal credentials.
5. The attackers then pivoted to other cloud environments, escalating the breach far beyond Salesforce.

OAuth tokens, once granted, allow persistent access without re-authentication. This makes them a prime target for attackers seeking stealthy, long-term access.

Here, the attackers turned a single integration point into a launching pad for broader compromises. It is a stark reminder that your security is only as strong as the weakest link in your third-party ecosystem.

What Are Indicators of Compromise (IOCs)?

In the world of cybersecurity, IOCs are the red flags that help teams detect and respond to intrusions. Think of them as digital fingerprints left behind by a burglar. They can take many forms, such as suspicious IP addresses, phishing URLs, malicious file hashes, or unusual user-agent strings.

The FBI’s advisory shared specific IOCs tied to the Salesforce campaigns. Security teams should ingest these into their monitoring tools and use them to hunt for evidence of compromise within their own environments.

FBI-Disclosed IOCs for Salesforce Attacks

IP Addresses

Attackers used the following IPs to connect to Salesforce environments and exfiltrate data:

• 13.67.175.79
• 20.190.130.40
• 23.145.40.165
• 146.70.211.119
• 208.68.36.90
• 185.220.101.180

Security teams should cross-reference these against connection logs. If traffic from these IPs appears in logs and cannot be linked to normal business operations, it is a red flag that deserves immediate investigation.

Malicious URLs

The campaigns used URLs crafted to look like legitimate Salesforce login or setup pages but were actually malicious traps. For example:

• login.salesforce[.]com/setup/connect?user_code=…
• help[victim][.]com

If such URLs appear in logs or user reports, it is a strong indicator that attackers attempted to manipulate OAuth app authorizations.

Suspicious User-Agent Strings

User-agent strings normally identify the software making requests to a service. Attackers used custom tools that mimicked Salesforce apps, such as:

• Salesforce-CLI/1.0
• python-requests/2.32.4
• Salesforce-Multi-Org-Fetcher/1.0

These strings, when spotted in API logs, suggest automation designed to siphon off data at scale.

Why These Attacks Were So Effective

Unlike traditional malware campaigns, these operations did not rely on malicious code running on endpoints. Instead, they exploited trust. Trust in employees, trust in connected apps, and trust in OAuth tokens.

Once a malicious app or stolen token was authorized, it operated silently. There were no suspicious logins to alert security teams. MFA was bypassed because the app was seen as legitimate. To use another idiom, the fox was already in the henhouse, and no one noticed until the damage was done.

This approach makes the attacks particularly dangerous. They expose the blind spots in many organizations’ security programs: over-reliance on MFA, lack of app vetting, and insufficient monitoring of API activity.

FBI’s Recommendations for Defense

The FBI’s advisory did not just warn us of the threat; it also provided clear guidance for defense. Here are the key recommendations:

• Use Phishing-Resistant MFA: Standard MFA like SMS codes can be bypassed. Stronger methods such as hardware tokens, biometrics, or FIDO2/WebAuthn are more resilient.
• Train Help Desk Staff: Support teams must be trained to spot social engineering. Verification protocols should be in place before assisting employees with account access.
• Audit Third-Party App Integrations: Regularly review connected apps in Salesforce. Remove unused or suspicious ones, and always limit permissions to the minimum required.
• Monitor API Usage: Watch for anomalies such as large exports, high-frequency requests, or suspicious user-agent strings.
• Restrict Access by IP: Define known IP ranges for Salesforce access and block requests from unknown or suspicious sources.

These measures may sound straightforward, but consistent execution is what makes them effective. Security is rarely about silver bullets. It is about layers of defense working together.

What Security Teams Should Do Now

The advisory is a wake-up call. Here are practical steps organizations can take immediately:

1. Ingest IOCs into SIEM Tools: Security Information and Event Management platforms should use these IOCs to detect threats in real time.
2. Conduct Retrospective Log Analysis: Review historical logs for connections from the listed IPs or the use of suspicious user-agent strings.
3. Deploy Identity Threat Detection and Response (ITDR): ITDR solutions track identity behavior across cloud platforms, flagging anomalies such as token abuse or privilege escalation.
4. Adopt Unified Platforms Like Argus: Argus by Genix Cyber integrates cloud monitoring, identity analytics, endpoint telemetry, and API behavior tracking into one platform. Its Trust Score engine correlates risks across domains, while Ask Argus, an AI-native automation capability, investigates alerts and orchestrates responses.

Incorporating these practices ensures organizations are not just reacting to threats but actively building resilience against them.