Blog Threat Research

What Salesforce Organizations Need to Know About the Growing Vishing Threat from UNC6040 

Learn about the vishing threat from UNC6040 targeting Salesforce environments and how to protect your organization from data breaches and extortion.
Daniel Miller
3 min read
Last updated July 25, 2025

Contents

    Google’s Threat Intelligence Group (GTIG) has disclosed a financially motivated threat cluster, UNC6040, that specializes in voice phishing (vishing) campaigns designed to breach organizations’ Salesforce environments for large-scale data theft and eventual extortion. 

    This is especially critical for Salesforce organizations because attackers like UNC6040 specifically target platforms storing vast amounts of sensitive customer and operational data. As a central hub for client information, sales pipelines, and business operations, Salesforce is both a valuable resource and an attractive target. A successful breach could result not only in data loss, but in regulatory consequences, reputational damage, and financial extortion. Understanding and defending against vishing threats is critical to safeguard the integrity of Salesforce environments and maintain trust with clients, partners, and stakeholders. 

    Who is UNC6040? 

    UNC6040 is a threat group exhibiting similar behaviors like Scattered Spider and other threat actors linked to the cybercrime collective known as The Com. According to GTIG, the group has repeatedly succeeded in breaching networks by impersonating IT support personnel in convincing phone-based social engineering attacks

    These vishing calls are designed to trick English-speaking employees into performing actions that grant access or reveal sensitive information such as credentials, which are then used to infiltrate enterprise systems and exfiltrate data. 

    How the attack works 

    UNC6040’s attacks typically begin with a phone call from someone posing as IT support. UNC6040 operators use a combination of live calls and automated phone systems with pre-recorded messages and interactive menus. These systems help them gather reconnaissance, such as internal application names, support team contacts, and company-wide technical issues, before engaging targets directly. 

    Once on the call, the attacker instructs the victim to install a modified version of Salesforce’s Data Loader — a legitimate tool used to import, export, and update Salesforce data in bulk. The malicious version is often disguised under a different name like, “My Ticket Portal.” 

    Victims are guided to Salesforce’s connected app setup page and asked to authorize the malicious app. This grants the attacker access to the organization’s Salesforce environment, enabling them to exfiltrate large volumes of customer and operational data. 

    From there, UNC6040 moves laterally across the network, targeting other platforms such as Okta, Workplace, and Microsoft 365. The group harvests credentials and sensitive data from these systems, often without triggering security policies and alerts. 

    In some cases, extortion attempts occur months after the initial breach. During these campaigns, UNC6040 has claimed affiliation with the ShinyHunters group — likely to increase pressure on victims and accelerate ransom payments. 

    Why this matters 

    Google reports that approximately 20 organizations have been affected by this campaign. These include entities across hospitality, retail, education, and other sectors in North and South America and Europe. The attacks are described as “opportunistic,” meaning the group casts a wide net and exploits any vulnerable entry point it finds. 

    UNC6040’s tactics overlap with those of other groups in The Com, particularly in their targeting of Okta credentials and use of IT support impersonation. However, their focus on Salesforce data theft sets them apart from groups like Scattered Spider, which typically aim for broader network access. 

    Mandiant, a Google-owned threat intelligence firm, emphasized that vishing campaigns like UNC6040’s are built on extensive reconnaissance. The normalization of remote IT support and outsourced service desks has made employees more susceptible to engaging with unfamiliar personnel — creating fertile ground for social engineering. 

    How to defend against vishing 

    When it comes to proteting your data from threat actors like UNC3944 (aka Scattered Spider), organizations should consider the following proactive defenses:  

    1. Educate employees about social engineering tactics. Make it clear that IT will never ask them to install or authorize apps over the phone. 
    2. Implement strict app authorization policies in platforms like Salesforce and Microsoft 365. 
    3. Monitor connected apps and audit for unusual authorizations or access patterns. 
    4. Use behavioral analytics to detect lateral movement and data exfiltration. 
    5. Adopt a Zero Trust model — never trust, always verify. 
    6. Harden identity infrastructure by enforcing phishing-resistant MFA, restricting self-service password resets, and monitoring for suspicious identity activity. 
    7. Limit access to administrative tools and enforce just-in-time access provisioning. 
    8. Simulate vishing attacks as part of regular security awareness training to test and reinforce employee vigilance. 

    Salesforce acknowledged UNC6040’s campaign in March 2025, warning that attackers were impersonating IT support to trick employees into giving away credentials or approving malicious connected apps. The company emphasized that these incidents did not involve or originate from any vulnerabilities in its platform. 

    “All the observed incidents relied on manipulating end users,” Salesforce said. “Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.” 

    Salesforce has published guidance to help customers protect their environments from social engineering, including best practices for app authorization and user training. 

    Immediate Recommended Actions from Salesforce: 
    • Audit and restrict connected app permissions in Salesforce. 
    • Enforce least privilege access across all systems.
    • Apply IP-based login controls.
    • Configure and deploy Salesforce Shield and other monitoring tools for early detection.
    Varonis helps automate and simplify the recommended Salesforce controls and we can uncover where customers may have additional gaps via our no-cost Salesforce Risk Assessment.

    Final thoughts 

    UNC6040’s campaign is a stark reminder that even the most secure platforms can be compromised through human error. The group’s use of vishing, legitimate tools, and delayed extortion tactics demonstrates that attacker’s aren’t breaking in, they are logging in. 

    Organizations must combine technical controls with user education to defend against evolving threats. As GTIG noted, the extended time frame between initial compromise and extortion means that more victims may still be at risk in the weeks and months ahead. 

    If you believe your organization has been impacted by UNC6040, contact our team immediately. 

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Daniel Miller
    Daniel Miller Daniel Miller is a Technical Content Manager for Varonis. He has a passion for amplifying the voices of both users and developers. When he's not learning about new tech, you could find him at a concert, trying a new recipe, or reading.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    varonis-enhances-cspm-capabilities-to-protect-cloud-data
    Varonis Enhances CSPM Capabilities to Protect Cloud Data
    varonis-enhances-cspm-capabilities-to-protect-cloud-data
    Nathan Coppinger
    July 22, 2025
    Varonis enhances its CSPM capabilities to provide centralized risk visibility, expanded misconfiguration detection, and unified workflows.
    toolshell:-a-sharepoint-rce-chain-actively-exploited 
    ToolShell: A SharePoint RCE chain actively exploited 
    toolshell:-a-sharepoint-rce-chain-actively-exploited 
    Varonis Threat Labs
    July 21, 2025
    ToolShell is a critical SharePoint RCE exploit chain. Learn how it works, who’s at risk, and how to protect your environment before it’s too late.
    copy-paste-pitfalls:-revealing-the-applocker-bypass-risks-in-the-suggested-block-list-policy 
    Copy-Paste Pitfalls: Revealing the AppLocker Bypass Risks in The Suggested Block-list Policy 
    copy-paste-pitfalls:-revealing-the-applocker-bypass-risks-in-the-suggested-block-list-policy 
    Dolev Taler
    July 17, 2025
    A subtle versioning error in Microsoft’s AppLocker block list exposes a bypass risk — learn how to spot and fix this overlooked security gap.