A highly advanced cyber campaign has compromised corporate Salesforce environments by abusing OAuth tokens linked to the Salesloft Drift third-party application. The incident resulted in large-scale exposure of sensitive information across several organizations.
The campaign, attributed to UNC6395, was active between August 8 and August 18, 2025, and showed a high level of operational security awareness. Attackers executed SOQL queries on multiple Salesforce objects, enabling them to steal authentication materials and other sensitive data.
Key Highlights
- Attackers abused compromised Salesloft Drift OAuth tokens to gain unauthorized access.
- Sensitive credentials such as AWS keys, Snowflake tokens, and passwords were extracted from Salesforce data.
- All Drift tokens have been revoked, and affected organizations must rotate credentials immediately.
This campaign represents a supply chain attack vector, exploiting the trust between Salesforce and integrated third-party applications. By leveraging legitimate OAuth mechanisms, UNC6395 bypassed traditional security controls, making detection difficult for defenders.
OAuth Token Exploitation
According to the Google Threat Intelligence Group, the attackers used compromised OAuth access and refresh tokens from the Salesloft Drift app to authenticate into target Salesforce instances.
This method exploited the OAuth 2.0 framework, which enables third-party apps to access Salesforce without directly handling user credentials.
UNC6395 executed systematic SOQL queries against key Salesforce objects, including Cases, Accounts, Users, and Opportunities. The attackers first ran COUNT queries to measure dataset sizes before exfiltrating information.
Credential Harvesting
Salesloft reported that attackers specifically looked for AWS access keys (AKIA identifiers), Snowflake credentials, passwords, and other authentication secrets stored in Salesforce custom fields.
Post-exfiltration analysis showed the attackers scanning stolen data for recognizable credential patterns. This confirmed that credential harvesting was their primary objective rather than generic data theft.
Mitigations and Defensive Actions
On August 20, 2025, Salesforce and Salesloft revoked all OAuth tokens linked to the Drift app, effectively cutting off attacker access. The application has since been removed from Salesforce AppExchange pending a full security review.
Organizations using the integration should apply the following measures:
- Review Event Monitoring logs for abnormal UniqueQuery events and suspicious Drift-related authentications.
- Scan Salesforce objects for secrets using tools such as TruffleHog, searching for terms like “AKIA”, “snowflakecomputing[.]com”, and other credential strings.
- Harden connected app permissions by limiting scopes, applying IP restrictions, and enforcing least privilege.
- Restrict “API Enabled” permissions, granting them only through Permission Sets to authorized users.
- Tighten session timeout settings to reduce risk exposure from compromised sessions.
This incident underscores the critical importance of securing third-party integrations. Continuous monitoring of OAuth-enabled applications is vital to protecting sensitive corporate data from sophisticated supply chain attacks.
