Recently, Israeli cybersecurity startup Noma Security discovered a critical vulnerability in Salesforce Agentforce, which could allow external attackers to exfiltrate sensitive CRM data. The vulnerability, tied to Salesforce’s Web-to-Lead functionality, was exposed when malicious instructions were embedded within lead data, which was later processed by Agentforce’s AI system.
This data leak, caused by an AI vulnerability, exposed organizations using Salesforce Agentforce to significant risks.
Noma, which specializes in securing enterprise data and AI models, notified Salesforce of the breach on September 25. In response, Salesforce quickly investigated and released patches to prevent AI agents in Agentforce from sending outputs to untrusted URLs.
The vulnerability was caused by indirect prompt injection, a method where attackers hide malicious instructions in user-submitted data that are later processed by the AI system.
For organizations in sales, marketing, and customer acquisition workflows using Salesforce Web-to-Lead functionality, this breach posed a serious threat, as external lead data processed by AI agents could be compromised.
Imagine managing sensitive customer information in Salesforce only to find that a breach has exposed it to unauthorized access. This was the reality for many businesses relying on Salesforce Agentforce.
If you’re a business leader, IT administrator, or security professional, understanding what went wrong with the ForcedLeak incident is critical for safeguarding your Salesforce environment.
What is ForcedLeak?
At its core, ForcedLeak is an example of indirect prompt injection, a sophisticated attack vector that targets AI-driven systems like Salesforce’s Agentforce. Prompt injection works by embedding malicious instructions inside seemingly harmless user inputs or prompts. These instructions are designed to be executed by the AI agent when it processes the data.
Attack Class: Indirect Prompt Injection
Indirect prompt injection occurs when an attacker hides harmful code or instructions within data that an AI system later processes.
For example, an attacker could manipulate a lead’s description field to contain a script or command. The AI agent, when tasked with processing the lead (such as summarizing it or drafting a response), would inadvertently execute these hidden instructions.
This is a serious issue because it exploits how AI systems interpret and execute natural language inputs. If AI agents are too permissive in how they follow instructions, malicious code can be executed without detection, potentially leading to data breaches or unauthorized actions.
This is what made ForcedLeak so dangerous: the AI agent treated malicious lead descriptions as legitimate instructions to be followed, which led to data exfiltration.
Trigger: A Simple Employee Request
The vulnerability was triggered through a seemingly innocuous action: an employee asking the AI agent to “Summarize this lead and draft a reply.” This is a common task that AI agents in Salesforce are designed to handle, yet in this case, the lead text contained malicious code.
When the agent processed this data, it executed the hidden instructions, leading to a data leak.
In practice, businesses rely on Salesforce’s AI agents to automate many CRM tasks like summarizing customer interactions or automatically drafting responses to customer inquiries. These tasks are typically simple and repetitive, which makes them ideal candidates for automation.
However, when input data is untrusted or improperly sanitized, it can introduce vulnerabilities. In the case of ForcedLeak, this lack of security around user-provided data allowed attackers to exploit the AI agent’s functionality for malicious purposes.
Why it Worked
The reason ForcedLeak succeeded was due to over-permissive instruction-following within the AI system. Salesforce’s Agentforce did not adequately validate or restrict the types of instructions it would execute based on incoming data.
This meant that the AI agent was able to interpret and follow malicious instructions hidden within legitimate-looking input fields, like a lead’s description.
Additionally, a browser-level Content Security Policy (CSP) allowedlist, intended to restrict the domains with which the AI agent could communicate, included an expired yet still trusted domain.
This oversight allowed attackers to craft a request that led to the exfiltration of sensitive data via an embedded image request. When the AI agent processed the lead, it inadvertently sent data to the untrusted domain, exposing it to unauthorized access.
The combination of weak separation between untrusted record fields (such as lead descriptions or customer service tickets) and rendered/output content (such as the AI’s response or processed data) compounded the problem. With this weak separation, malicious data embedded in these fields could flow seamlessly into the system, bypassing security checks and resulting in data leakage.
Who’s Impacted
Organizations using Salesforce Agentforce that ingest untrusted, user-controlled text are particularly vulnerable. This includes not only Web-to-Lead submissions, but also Case/Email-to-Case entries, service tickets, community or knowledge base contributions, web forms, and any other intake pipelines that agents later review.
These user-generated inputs can vary in quality, ranging from clear and concise to incomplete or filled with errors. For AI-driven systems like Salesforce Agentforce, these inconsistencies can cause significant issues. If the AI isn’t trained to handle poorly formatted or unreliable data, it may struggle to provide accurate or relevant responses.
Mitigation Strategies: Salesforce ForcedLeak
To ensure Salesforce Agentforce operates securely and efficiently, it’s essential to take proactive steps. From validating platform protections to securing data intake and training your team, these actions will help you mitigate risks and maximize the value of AI-driven automation. Here’s a practical checklist to guide your next steps.
Validate Platform Protections
Ensure the security measures and protocols in place for Salesforce Agentforce and Einstein AI are up to date.
- Enable/Confirm Trusted URLs Enforcement: Make sure that trusted URLs enforcement is enabled for both platforms to prevent unauthorized or harmful external sources from accessing sensitive data.
- Review CSP/Allowlists: Regularly review your Content Security Policy (CSP) and allowlists to confirm that only trusted domains are permitted. This process should include verifying that all trusted domains are actively owned, maintained, and monitored.
- Remove Stale Entries: Periodically purge outdated or irrelevant entries that could pose a security risk, and assign a dedicated team member to take ownership of allowlist hygiene. This ensures that only the relevant domains continue to have access.
- Assign Ownership for Allowlist Hygiene: Designate a team or individual responsible for managing allowlist entries, keeping them updated and removing unnecessary or outdated domains.
Harden Data Intake (Especially Web-to-Lead)
Refining the intake process, particularly for forms like Web-to-Lead, is crucial to preventing malicious data from being ingested by your system.
- Sanitize and Normalize User-Controlled Fields: Fields like Description, which can accommodate large payloads, should be properly sanitized to prevent injection of harmful content or oversized data.
- Add Prompt-Injection Heuristics: Implement blocklists, regex, and machine learning (ML) models to detect and block patterns indicative of prompt injection, such as hidden instructions, HTML/JS, and out-of-band requests.
- Tag, Route, or Quarantine High-Risk Submissions: For submissions with suspicious or high-risk signals, tag and route them for immediate human review before they are processed by agents. This ensures that potentially harmful data doesn’t affect the AI system’s decision-making process or customer interactions.
Reduce Agent Blast Radius
Limit the potential damage of compromised or inaccurate data by restricting access and controlling outputs.
- Constrain Tool Calls: Follow the principle of least privilege to ensure that agents have only the necessary access and permissions to perform their tasks. This minimizes the scope of action for each tool, preventing unintended actions or breaches.
- Guard Tool Outputs: Sanitize or strip agent-generated HTML and links before they are rendered or sent out, ensuring that no potentially dangerous or unauthorized content is included in customer-facing responses.
- Isolate Memory & Context: Separate untrusted records from privileged system prompts and tools. By isolating untrusted data, you reduce the risk of contaminating secure workflows or exposing sensitive information.
Train the Humans in the Loop
AI may be powerful, but it’s the human agents who are crucial in identifying and mitigating risks.
- Teach Teams to Spot Prompt-Injection Symptoms: Train customer service teams to recognize signs of prompt injection, such as unusual or hidden instructions embedded within data, invisible HTML, or unexpected URL calls within customer submissions.
- Encourage “Report, Don’t Proceed” Behavior: Instruct agents to flag and report rather than proceed with cases that include external resources users did not request. This will ensure that agents don’t unknowingly trigger actions based on malicious or unverified inputs.
How Aquiva Labs Can Help
At Aquiva Labs, we specialize in helping organizations evolve from a “secure Salesforce” to a “secure Salesforce with autonomous AI agents.” Our team brings hands-on experience and a deep understanding of the challenges and opportunities that come with integrating Salesforce Agentforce and other AI-powered automation solutions.
We’ve successfully published more than ten Agentforce apps, supporting customers through the entire deployment process. This extensive experience allows us to guide businesses in leveraging AI-driven automation effectively while mitigating associated risks.
One key area where we provide value is in ensuring that AI systems are not only powerful but also predictable and secure. In our upcoming Dreamforce session, we’ll share practical guardrail patterns related to managing variables, filters, and determinism in large language models (LLMs).
To dive deeper into these concepts and learn how we’re building effective guardrails for Salesforce Agentforce, check out our recent blog on Guardrails for Generative AI in Agentforce: Variables, Filters, and Determinism. It provides additional insights on keeping your AI systems aligned and secure, especially when dealing with adversarial inputs.
These insights are crucial for keeping agent behavior consistent, even under adversarial or unexpected inputs, which is a significant concern for businesses deploying autonomous AI agents in customer service workflows.
Our security reviews cover a broad range of critical areas, including:
- Threat-Modeling Agentforce Agents: We conduct thorough assessments to identify potential vulnerabilities in your AI agents and associated workflows.
- Tools, Prompts, and Data Flows: We evaluate the security of the tools, prompts, and data flows used by Agentforce to ensure that all interactions are secure and data is handled responsibly.
- Salesforce Trusted URLs Enforcement: We validate that your system properly enforces trusted URLs to prevent unauthorized access or security breaches.
- CSP/Allowlist Ownership: We review and manage Content Security Policies (CSP) and ensure allowlist entries are up to date, removing stale or irrelevant domains to mitigate risk.
- Least-Privilege Tool Scopes: Our experts design and implement least-privilege access for tools and actions, ensuring that AI agents only have the necessary permissions, reducing the risk of misuse.
Where applicable, we align these security measures with Salesforce’s Trust Layer capabilities for policy enforcement and auditing. This ensures that your security protocols are in sync with Salesforce’s own infrastructure, providing a layered approach to protection.
Additionally, we implement output-sanitization and allowlist rendering for agent-generated HTML or links, ensuring that malicious content or unexpected code does not impact your system.
If you’re looking for a quick and comprehensive assessment of your AI security posture, we offer an Agentforce Security Posture Assessment. This service evaluates your agents, tools, prompts, and data flows, and identifies potential risks in key intake vectors like Web-to-Lead or Case fields.
We also check the enforcement of Trusted URLs and allowlist hygiene, ensuring least-privilege scopes are applied correctly. The result is a prioritized remediation plan, complete with concrete, ready-to-apply configuration changes to enhance the security and reliability of your Salesforce-powered automation.
Final Thoughts
ForcedLeak is a clear example that illustrates how agent autonomy can significantly shift the threat model. While enabling agents to act autonomously provides powerful efficiencies, it also introduces new vulnerabilities, especially when data security and system integrity are not carefully managed.
Trusted URLs enforcement is a crucial safeguard, but it should be seen as just one layer of a comprehensive security framework.
To maximize the benefits of Salesforce Agentforce while mitigating risks, you need more than just trusted URLs. Simple guardrails are essential. Start by ensuring that the data you ingest is clean and properly sanitized. This is vital for keeping AI-driven systems like Agentforce from acting on flawed or untrusted inputs.
Similarly, you must limit what agents can do within your platform by implementing the principle of least privilege for actions and access. This reduces the risk of unintended damage caused by malicious inputs or system vulnerabilities.
Additionally, monitoring for unusual behavior is just as critical as the other measures. Behavioral analytics can help detect when an agent, or an AI-powered assistant, is deviating from expected patterns, which could be an early sign of potential issues such as prompt injections, unauthorized actions, or data breaches.
These precautions help maintain operational efficiency and scalability while ensuring that your AI-driven customer service remains secure.
If you’re looking for a quick and practical assessment of your security posture and areas that need tightening, reach out to us using the form here.
Author
Jakub Stefniak
Field CTO
