Google’s Threat Intelligence Group is tracking a financially motivated threat cluster, UNC6040, which employs voice phishing to compromise Salesforce environments and exfiltrate data. Following these intrusions, they engage in extortion tactics, often posing as the group ShinyHunters and pressuring victims for payment in bitcoin. The growing sophistication of these tactics highlights the vulnerabilities in organizational defenses, particularly targeting IT personnel for initial access.

A widespread data theft campaign targeting Salesforce instances via the Salesloft Drift application has been uncovered, with the threat actor UNC6395 compromising OAuth tokens to exfiltrate sensitive data. Organizations using Salesloft Drift are urged to treat their credentials as compromised and take immediate remediation steps, including revoking tokens and investigating potential unauthorized access.