{ "id": "c3037ae7-7366-4009-9ad1-d85e0d6c94ac", "created_at": "2026-04-06T00:13:11.666916Z", "updated_at": "2026-04-10T13:11:32.862345Z", "deleted_at": null, "sha1_hash": "70cce569a80ac96ac7b8c9cccc5ca86d93572173", "title": "What Salesforce Organizations Need to Know About ShinyHunters and Vishing", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64700, "plain_text": "What Salesforce Organizations Need to Know About ShinyHunters and\r\nVishing\r\nBy Varonis Threat Labs\r\nPublished: 2025-07-25 · Archived: 2026-04-02 12:44:50 UTC\r\nIn the world of cybersecurity, the most dangerous adversaries aren’t always the ones exploiting zero-days or deploying\r\nsophisticated malware. Increasingly, they’re the ones who simply talk their way in. \r\nThe recent wave of Salesforce-related breaches orchestrated by Scattered Spider (UNC3944)  and UNC6040, also known as\r\n ShinyHunters, is a chilling example of this shift. These groups didn’t need to break down the door — they convinced\r\nsomeone to open it for them. \r\nThese attacks are designed to steal sensitive data and extort organizations — posing a serious risk to any business that relies\r\non Salesforce as a central hub for customer, sales, and operational data, which is an attractive target for attackers like\r\nUNC6040 and UNC3944.\r\nA successful breach could result in data loss, regulatory consequences, reputational damage, and financial extortion.\r\nUnderstanding and defending against vishing threats is critical to safeguarding the integrity of Salesforce environments and\r\nmaintaining trust with clients, partners, and stakeholders. \r\nWho are ShinyHunters and Scattered Spider?\r\nIn today’s cybersecurity landscape, the most dangerous adversaries aren’t necessarily those exploiting zero-days or\r\ndeploying advanced malware — they’re the ones who talk their way in.\r\nUNC6040 (also known as ShinyHunters) and UNC3944 (known as Scattered Spider) are two of the most active threat\r\ngroups targeting cloud platforms like Salesforce. Their campaigns rely heavily on social engineering, particularly vishing, to\r\ngain unauthorized access to sensitive customer data.\r\nScattered Spider is a young, US/UK-based crew known for breaching organizations in\r\nthe hospitality, telecommunications, financial services, and retail sectors. Their tactics include SIM swapping,\r\nphishing, and MFA bypass. Despite arrests in 2024, copycat operations continue to surface.\r\nShinyHunters began as a mass data theft gang and pivoted in 2024 to cloud platform extortion. They’ve targeted\r\ncompanies across luxury goods, airlines, insurance, and e-commerce, stealing customer data and demanding ransoms.\r\nTheir recent campaigns have focused on Salesforce environments, often in collaboration with Scattered Spider.\r\nThese groups have impacted dozens of organizations globally, compromising millions of customer records. The industries\r\naffected include:\r\nLuxury retail: High-end brands saw breaches involving VIP customer data and regional client platforms.\r\nTravel \u0026 airlines: Frequent-flyer databases were accessed, exposing contact and travel details.\r\nFinancial services \u0026 insurance: Cloud-based CRM systems were infiltrated, affecting policyholder data.\r\nConsumer goods \u0026 apparel: Customer service platforms were compromised, leaking personal information.\r\nTechnology \u0026 telecom: Attackers used SIM swaps and phishing to bypass authentication and access internal\r\nsystems.\r\nHow the attack works \r\nRather than exploiting software vulnerabilities, these attackers manipulated human behavior like impersonating IT support,\r\nabusing helpdesk workflows, and leveraging Salesforce’s OAuth model to maintain persistent access. Their campaigns\r\ndemonstrate how trust and routine processes can be weaponized to devastating effect.\r\nThese attacks typically begin with a phone call from someone posing as IT support. The attack operators use a combination\r\nof live calls and automated phone systems with pre-recorded messages and interactive menus. These systems help them\r\ngather reconnaissance, such as internal application names, support team contacts, and company-wide technical issues, before\r\nengaging targets directly. \r\nOnce on the call, the attacker instructs the victim to install a modified version of Salesforce’s Data Loader — a legitimate\r\ntool used to import, export, and update Salesforce data in bulk. The malicious version is often disguised under a different\r\nname, like “My Ticket Portal.” \r\nVictims are guided to Salesforce’s connected app setup page and asked to authorize the malicious app. This grants the\r\nattacker access to the organization’s Salesforce environment, enabling them to exfiltrate large volumes of customer and\r\noperational data. \r\nhttps://www.varonis.com/blog/salesforce-vishing-threat-unc604\r\nPage 1 of 4\n\nFrom there, the attackers move laterally across the network, targeting other platforms. The group harvests credentials and\r\nsensitive data from these systems, often without triggering security policies and alerts. \r\nHere is a technical breakdown of the attack flow: \r\nDevice code generation\r\nThe attacker (hacker) initiates the OAuth Device Flow using their local Salesforce Data Loader.\r\nThis generates an 8-character device code that is meant to be entered by a legitimate user.\r\nData Loader waits for authentication\r\nThe attacker's Data Loader instance is now listening for a successful authentication tied to that device code,\r\ncompleted by the victim.\r\nSocial engineering\r\nThe attacker tricks an employee (e.g., via phishing, impersonation, or urgent request) into visiting:\r\nhttps://login.salesforce[.]com/setup/connect\r\nThe victim is then asked to enter the 8-character code, believing it's a legitimate request by a trusted entity.\r\nUser consent and credential entry\r\nThe employee authorizes the request, unknowingly granting access to the attacker's Data Loader.\r\nThey also enter their Salesforce credentials, completing the OAuth flow.\r\nAccess token granted\r\nSalesforce issues an access token to the attacker’s Data Loader instance.\r\nThis token allows the attacker to act on behalf of the victim, accessing data or performing actions within\r\nSalesforce.\r\nIn some cases, extortion attempts occur months after the initial breach. During these campaigns, UNC6040 has claimed\r\naffiliation with the ShinyHunters group, which is likely to increase pressure on victims and accelerate ransom payments. \r\nWhy Salesforce orgs should be concerned \r\nSalesforce environments are increasingly targeted by threat actors like UNC6040 and Scattered Spider due to the rich\r\ncustomer, sales, and operational data they contain. The 2025 campaign has already impacted organizations across a wide\r\nrange of industries, including:\r\nThese breaches didn’t stem from vulnerabilities in Salesforce itself. Instead, attackers exploited human trust and workflow\r\ngaps — impersonating IT support, abusing helpdesk protocols, and leveraging Salesforce’s OAuth model to maintain\r\npersistent access.\r\nThe consequences have been severe:\r\nMillions of customer records were exposed, including names, contact details, birthdates, and loyalty information.\r\nFinancial losses ranged from hundreds of thousands to tens of millions of dollars, including ransom payments,\r\nincident response costs, and regulatory fines.\r\nReputational damage was especially significant for luxury and financial brands entrusted with sensitive client data.\r\nIn many cases, the breaches went undetected until attackers sent extortion emails or law enforcement tipped off the victims.\r\nThis underscores the need for proactive monitoring, user education, and robust identity controls to defend against social\r\nengineering and cloud data theft.\r\nMandiant, a Google-owned threat intelligence firm, emphasized that vishing campaigns like UNC6040’s are built on\r\nextensive reconnaissance. The normalization of remote IT support and outsourced service desks has made employees more\r\nsusceptible to engaging with unfamiliar personnel — creating fertile ground for social engineering. \r\nWhile Salesforce has issued guidance to help customers protect themselves, implementing these controls manually can be\r\ntime-consuming and error-prone. That’s where Varonis comes in. \r\nSalesforce acknowledged UNC6040’s campaign in March 2025, warning that attackers were impersonating IT support to\r\ntrick employees into giving away credentials or approving malicious connected apps. The company emphasized that these\r\nincidents did not involve or originate from any vulnerabilities in its platform. \r\nSalesforce also published guidance to help customers protect their environments from social engineering, including best\r\npractices for app authorization and user training. \r\nHow Varonis helps secure data in Salesforce\r\nVaronis isn’t just compatible with Salesforce — it’s purpose-built to secure it.\r\nWith Varonis for Salesforce, users can automatically eliminate risky misconfigurations, find and remediate exposed sensitive\r\ndata, and detect anomalous behavior. Our platform bridges the gap between security and Salesforce teams, helping both\r\nsides work together to reduce risk.\r\nhttps://www.varonis.com/blog/salesforce-vishing-threat-unc604\r\nPage 2 of 4\n\nVaronis also simplifies Salesforce's complex permissions and automatically surfaces users assigned high-risk entitlements\r\nwith a real-time, interactive view across users, profiles, and permission sets.\r\nWhen it comes to defending against threats like UNC6040, Salesforce recommends a series of best practices that Varonis\r\nautomates and simplifies:\r\nHow to defend against vishing \r\nWhen it comes to protecting your data from threat actors like UNC3944 (aka Scattered Spider), organizations should\r\nconsider the following proactive defenses:  \r\nEducate employees about social engineering tactics. Make it clear that IT will never ask them to install or authorize\r\napps over the phone. \r\nImplement strict app authorization policies in platforms like Salesforce and Microsoft 365. \r\nMonitor connected apps and audit for unusual authorizations or access patterns. \r\nUse behavioral analytics to detect lateral movement and data exfiltration. \r\nAdopt a Zero Trust model — never trust, always verify. \r\nHarden identity infrastructure by enforcing phishing-resistant MFA, restricting self-service password resets, and\r\nmonitoring for suspicious identity activity. \r\nLimit access to administrative tools and enforce just-in-time access provisioning. \r\nSimulate vishing attacks as part of regular security awareness training to test and reinforce employee vigilance. \r\nImmediate recommended actions from Salesforce include: \r\nAudit and restrict connected app permissions in Salesforce. \r\nEnforce least privilege access across all systems\r\nApply IP-based login controls\r\nConfigure and deploy Salesforce Shield and other monitoring tools for early detection\r\nDetection and hunting strategies\r\nUNC6040 and Scattered Spider are experts at blending in. Their attacks often mimic legitimate user behavior, making early\r\ndetection difficult. But with the right visibility and controls, security teams can catch subtle signs before damage is done.\r\nHere’s how to stay ahead.\r\nMonitor connected app activity\r\nSalesforce allows users to self-authorize external connected apps by default. Attackers exploit this to install rogue apps that\r\nquietly siphon data.\r\nTo reduce risk:\r\nAudit new connected apps regularly. Flag anything authorized by non-admins, especially apps with names like\r\n“MyTicketingPortal” or “SalesforceDataLoader123.”\r\nRestrict app access by setting the OAuth policy to “Admin approved users are pre-authorized.” Then manage access\r\nvia profiles or permission sets.\r\nEnforce IP restrictions, limit refresh token validity, and set session timeouts to prevent indefinite access.\r\nUse Salesforce audit logs\r\nSalesforce’s built-in logging, or Shield event monitoring, can surface suspicious behavior:\r\nOAuth token abuse. Watch for high-volume API calls from users who don’t normally access large datasets.\r\nConcurrent sessions. If a user is logged in via SSO and also active via API from a different IP, investigate.\r\nNew app authorizations. Treat unexpected app installs as potential compromise.\r\nWatch for authentication anomalies\r\nAttackers often trigger subtle authentication red flags:\r\nImpossible travel. If a user logs in from New York and then Belarus minutes later, raise an alert.\r\nOff-hours access. Data pulls at 3 AM from a 9-to-5 user? That’s suspicious.\r\nMFA fatigue. A flood of push notifications could mean someone is trying to wear down a user into approving access.\r\nEmpower employees to report suspicious IT contact\r\nOne fake IT call can open the door. Encourage staff to speak up:\r\nIf someone says, “I got a weird call asking me to do something in Salesforce,” treat it like a fire alarm.\r\nhttps://www.varonis.com/blog/salesforce-vishing-threat-unc604\r\nPage 3 of 4\n\nMake it easy to verify IT requests, whether through a callback process or a dedicated reporting channel.\r\nUse threat intelligence \r\nStay plugged into threat intel feeds from CISA, FBI, and ISACs. Known indicators of compromise, such as attacker VoIP\r\nnumbers, phishing domains, or extortion email addresses, can help you spot active campaigns in your environment.\r\nWorried about your Salesforce exposure?\r\nUNC6040’s campaign is a stark reminder that attackers aren’t breaking in — they’re logging in. Their use of vishing,\r\nlegitimate tools, and delayed extortion tactics shows how human error can compromise even the most secure platforms.\r\nTo stay ahead, organizations must combine technical controls with user education. The best way to understand your\r\nSalesforce data security posture and determine if UNC6040 is a serious threat is with a free Salesforce Data Risk\r\nAssessment from Varonis.\r\nOur Salesforce Data Risk Assessments are built to not only summarize your data security risks but also provide actionable\r\nrecommendations for simpler, safer permission structures. Discover all Varonis for Salesforce has to offer in this quick 4-\r\nminute demo. \r\nIf you believe your organization has been impacted by UNC6040 or UNC3944, contact our team immediately.\r\nSource: https://www.varonis.com/blog/salesforce-vishing-threat-unc604\r\nhttps://www.varonis.com/blog/salesforce-vishing-threat-unc604\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.varonis.com/blog/salesforce-vishing-threat-unc604" ], "report_names": [ "salesforce-vishing-threat-unc604" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "70929bd1-2bf9-4689-bfff-2bc6b113d3ed", "created_at": "2026-01-20T02:00:03.666874Z", "updated_at": "2026-04-10T02:00:03.916254Z", "deleted_at": null, "main_name": "UNC6040", "aliases": [], "source_name": "MISPGALAXY:UNC6040", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434391, "ts_updated_at": 1775826692, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/70cce569a80ac96ac7b8c9cccc5ca86d93572173.pdf", "text": "https://archive.orkl.eu/70cce569a80ac96ac7b8c9cccc5ca86d93572173.txt", "img": "https://archive.orkl.eu/70cce569a80ac96ac7b8c9cccc5ca86d93572173.jpg" } }