It starts with a phone call. A convincing voice claims to be IT support, guiding employees through what appears to be a routine security step. But behind that friendly tone lies a calculated scheme, one that has already cost organizations access to valuable business data.
Google’s Threat Intelligence Group (GTIG) recently revealed details about UNC6040, a financially motivated hacking cluster exploiting trust over the phone to infiltrate Salesforce systems. What’s more, months after the theft, victims are facing a second blow: extortion attempts under the notorious “ShinyHunters” banner.
How the scheme works
Unlike attacks that exploit software flaws, UNC6040’s playbook is built on manipulating people. Operators call company staff, usually in English-speaking branches of multinational businesses, pretending to be IT support. With convincing instructions, they trick victims into authorizing a malicious connected app inside Salesforce.
This app often mimics Salesforce’s legitimate Data Loader, a tool for moving large volumes of information. Once authorized, the fake application quietly siphons customer and business data. In some cases, attackers rebranded the tool with names like “My Ticket Portal” to match their phone scam narrative.
The group’s tactics have evolved. Originally, they created Salesforce trial accounts to test their apps. More recently, they’ve begun using compromised accounts from other organizations to cover their tracks, relying on encrypted browsing tools like Mullvad VPN and TOR to obscure their locations.
Why Salesforce is a prime target
Salesforce sits at the heart of many companies’ customer operations. Contact lists, transaction histories, and client communications all flow through the platform, making it a gold mine for attackers. While Salesforce itself isn’t being hacked directly, the way organizations configure and use the system can create vulnerabilities that lead to social engineering attacks.
Experts warn that the combination of technical access through tools like Data Loader and the personal touch of vishing calls makes this campaign especially effective. In one case, attackers exfiltrated only a fraction of data before being cut off; in another, they escalated quickly to extract entire tables after testing the limits. The variation suggests multiple operators with different skill levels are running similar playbooks under the same banner.
What organizations can do now
So, how do companies fight back? Google’s report emphasizes a layered defense. That means relying on Salesforce's built-in security and tightening internal processes. Key recommendations include:
- Restricting Data Loader permissions to only essential staff.
- Closely monitoring and approving connected apps, while limiting who can install them.
- Enforcing IP restrictions to block logins from suspicious locations.
- Using Salesforce Shield to flag unusual downloads or API activity.
- Strengthening multi-factor authentication (MFA) while training employees to spot social engineering tricks.
Simply put, technology will not solve the problem on its own. The human element remains the most effective defense, with employees being trained to pause, verify, and question unexpected IT requests.
The UNC6040 campaign highlights a troubling trend: attackers are finding that a simple phone call can be more effective than the most sophisticated malware. And with extortion tactics evolving, companies may face pressure months after an initial breach.
Still, there's reason for optimism. By sharing visibility into these threats, Google and other industry leaders are helping organizations prepare before the next suspicious call comes through. The challenge now is whether companies can move quickly enough to turn awareness into action.
