In today’s interconnected business environment, platforms like Salesforce have become the backbone of customer relationship management for thousands of organizations, with the OAuth authentication framework revolutionizing how businesses connect their tools and streamline workflows through secure third-party integrations.
However, the cybersecurity landscape witnessed a chilling demonstration of modern attack sophistication when two threat groups, UNC6040 and UNC6395, orchestrated separate yet equally devastating campaigns targeting Salesforce environments, providing a sobering answer to what happens when this trust becomes the very foundation of an attack. What makes these attacks particularly unsettling isn’t just their scale, but how they weaponized the very trust mechanisms designed to make business operations seamless, turning OAuth’s intended security features into vectors for compromise.
Understanding the Attack Surface
OAuth 2.0 tokens represent a critical infrastructure component that enables secure, granular access control between applications without credential sharing. In legitimate business scenarios, when Salesforce integrates with marketing automation platforms like HubSpot or Marketo, OAuth tokens facilitate seamless data synchronization while maintaining security boundaries. This abstraction layer provides both convenience and security, when properly implemented and monitored.
Key Attack Characteristics:
- Token Lifecycle Exploitation: Unlike traditional credential theft, OAuth tokens often have extended validity periods and refresh capabilities, providing sustained access without repeated authentication events that might trigger security alerts.
- Trust Boundary Abuse: OAuth tokens inherit the permissions of the authorizing user, potentially granting broad access across integrated systems, a privilege escalation vector that bypasses traditional access controls.
- Logging Blind Spots: OAuth-authenticated API calls often blend with legitimate application traffic, making detection challenging without granular API monitoring and behavioral analytics.
UNC6040: Social Engineering Meets API Exploitation
Since October 2024, UNC6040 has been perfecting a particularly insidious attack methodology that combines old-school social engineering with cutting-edge technical exploitation.
The Perfect Phone Call: UNC6040 operators conduct extensive reconnaissance before calling, posing as IT support reporting “enterprise connectivity issues.” They demonstrate intimate knowledge of internal systems, processes, and current tickets making their urgency compelling and believable.
Technical Exploitation: The attack leverages Salesforce’s legitimate connected app framework:
- Using Salesforce trial accounts to register malicious apps, the attackers avoids detection while maintaining the appearance of authentic third-party integrations
- Victims are guided to https://login.salesforce.com/setup/connect to authorize these apps
- Once approved, attackers gain persistent API access bypassing:
- Multi-factor authentication
- Password resets
- Traditional login monitoring
- IP-based access controls
The Aftermath: With API access secured, UNC6040 systematically exfiltrates data through legitimate Salesforce queries, making detection nearly impossible. Victims face extortion demands from ShinyHunters-affiliated groups days to months later.
UNC6395: OAuth Supply Chain Compromise
UNC6395 demonstrated how trusted integrations become attack highways by compromising OAuth tokens for Salesloft Drift, an AI chatbot platform connected to numerous Salesforce instances.
- The Trust Exploit: Rather than attacking platforms directly, UNC6395 targeted OAuth tokens enabling integrations. Compromised tokens granted attackers identical permissions organizations had willingly given to legitimate services.
- Methodical Data Mining: UNC6395’s approach was surgical:
- Reconnaissance queries to map target scope and data value
- Systematic credential hunting for AWS keys, Snowflake credentials, VPN/SSO URLs, and any strings containing “password,” “secret,” or “key”
Cascade Effect: The true scope emerged August 28, 2025: UNC6395 had also compromised Google Workspace OAuth tokens, accessing email accounts from organizations using Drift’s Google integration. Google’s swift token revocation came too late to prevent data exposure.
The Broader Implications: Rethinking API Security
Beyond Traditional Perimeter Security
These campaigns represent a fundamental shift in how we must think about cybersecurity. Traditional perimeter-based security models fall apart when the attack vector is a legitimate, authorized integration. When OAuth tokens provide access that appears entirely normal to security systems, how do we detect the difference between legitimate business operations and data theft?
Both campaigns expose the same fundamental truth: attackers no longer need to break down the front door when users will gladly hand them the keys.
The Bottom Line
Your organization’s security posture is only as strong as:
- Your users’ ability to recognize sophisticated social engineering
- Your visibility into authorized application behavior
- Your processes for managing third-party integrations
The perimeter isn’t just your network, it’s every person who can authorize an application and every service you trust with your data. UNC6040 and UNC6395 have shown that attackers understand this reality better than most defenders.
The fundamental question isn’t whether your technical controls are strong enough, it’s whether your people and processes can distinguish between legitimate requests and expertly crafted deception.
Beyond Detection: Proactive API Security Validation
While understanding the threat landscape is crucial, organizations need actionable ways to validate their defenses before attackers do. This is where continuous security testing becomes essential, not as a one-time assessment, but as an integral part of your security operations.
RidgeBot API Security Testing addresses this critical gap by providing comprehensive API vulnerability assessment in controlled environments. The platform helps organizations identify and safely exploit potential API vulnerabilities before malicious actors can leverage them. RidgeBot excels in both black-box testing scenarios, where testers operate without credentials to simulate external attackers, and gray-box testing environments, which replicate the conditions of an attacker who has gained partial authenticated access through social engineering or token compromise.
The platform’s strength lies in its holistic approach to API security validation. Beyond traditional vulnerability scanning, RidgeBot evaluates the scope and limitations of individual authentication tokens, stress-tests the business logic governing API workflows, and continuously monitors API behavior patterns. This comprehensive coverage ensures that organizations understand not just whether their APIs can be compromised, but how extensively they can be exploited if an attacker gains access.
By combining automated vulnerability detection with business logic flaw identification, RidgeBot helps organizations implement the principle of defense in depth for their API ecosystem. Even if sophisticated social engineering succeeds in compromising user credentials or application tokens, robust API security controls can significantly limit the blast radius of a successful attack turning what could be a catastrophic breach into a contained incident.