It began, as these incidents often do, with a phone call.
An employee, possibly busy and a bit rushed, answered what seemed to be a routine call from IT support. The caller was professional, courteous, and spoke with a sense of urgency. They claimed there was a problem with Salesforce data access and asked the employee to download an updated version of a familiar tool: the Salesforce Data Loader.
But the file didn’t come from Salesforce. And once it was installed, the attackers had exactly what they needed.
This is the pattern behind a recent and highly targeted cyberattack uncovered by Google’s Threat Intelligence team. The group responsible, known as UNC6040, uses voice phishing (vishing) to deceive employees. Their goal isn’t to steal credentials, but to exploit trust.
Salesforce has responded by reiterating the shared responsibility model in cloud security. “Salesforce has enterprise-grade security built into every part of our platform,” a spokesperson said. “There’s no indication the issue described stems from any vulnerability inherent to our services. Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness.”
At Aquiva Labs, we help organizations build and safeguard complex Salesforce environments. This campaign is a reminder that human error can be just as significant as technical flaws. Defending your Salesforce org means addressing both dimensions.
The Nature of the Threat
Unlike attacks that exploit software vulnerabilities, this one relies entirely on social engineering. The attackers impersonate internal IT support, convincing users to download a fake version of Salesforce’s Data Loader.
Once installed, the malicious tool gives them access to sensitive Salesforce data. They then extract that data and use it for extortion.
This is not a failure in Salesforce’s security. It is a manipulation of the people who depend on the platform.
What You Can Do Right Now
Protecting your Salesforce environment takes more than well-written code. It also requires clear policies, informed teams, and proactive oversight. Aquiva Labs recommends the following steps:
- Train for Judgment, Not Just Compliance
Security training should go beyond mandatory e-learning. Use simulations, real-world scenarios, and interactive exercises to help your team recognize and reject social engineering attempts.
- Tighten Application Governance
Review all applications connected to your Salesforce instance. Are they approved, actively monitored, and adhering to the principle of least privilege? Implement safeguards to block the use of unauthorized tools and unverified downloads.
- Enforce Multi-Factor Authentication Across the Board
If credentials are compromised, multi-factor authentication can still prevent unauthorized access. Require it for everyone, especially users with elevated privileges.
- Restrict Access by IP and Role
Limit access to trusted IP addresses and ensure that user roles are narrowly defined. The more permissions a user has, the greater the potential damage if their account is compromised.
- Review Your Security Regularly
Threats continue to evolve, and your defenses should evolve with them. Regular audits can help you identify overlooked risks in access settings, integrations, or workflows.
How Aquiva Labs Can Support You
Aquiva Labs partners with both high-growth companies and large enterprises to create resilient Salesforce environments from the ground up. Our approach blends performance, scalability, and built-in security, all designed to stand up to advanced human-led threats.
We provide expertise in:
- Security posture assessments
- Salesforce Shield setup and configuration
- Role- and risk-based access modeling
- Secure DevOps and governance frameworks
Whether you’re building a new system or revisiting an existing one, we help integrate security into the foundation of your architecture rather than treating it as an afterthought.
Final Thoughts
The most dangerous breaches don’t always begin with a firewall alert. Sometimes they start with a convincing voice on the phone.
This latest campaign should serve as a serious warning for every Salesforce customer. It’s not just about securing your platform: it’s also about preparing your people.
If you’re unsure whether your Salesforce environment could withstand a threat like this, let’s talk. A brief consultation can help you reinforce your defenses and give you greater peace of mind.
Contact us below to schedule a security review or to learn how we make security a fundamental part of every Salesforce deployment.
Author
Jakub Stefaniak
Field CTO
