Do you connect Salesforce to third-party apps like Salesloft Drift? If so, that integration could be the same pathway UNC6395 exploited to steal sensitive data from hundreds of organizations.
Google Cloud Threat Intelligence reported that in early August the financially motivated threat group UNC6395 gained access to numerous Salesforce environments by abusing OAuth tokens tied to the Salesloft Drift integration. Using these trusted tokens, the attackers were able to run queries directly against Salesforce objects and exfiltrate sensitive data without exploiting any vulnerabilities in the Salesforce platform itself. Google estimates that over 700 organizations were impacted.
What Happened
- Initial Access: UNC6395 obtained OAuth tokens associated with Drift, a third-party application commonly integrated with Salesforce.
- Data Exfiltration: With authenticated API access, the group issued SOQL queries against core Salesforce objects such as Users, Accounts, Opportunities, and Cases. The data pulled included not only customer and business records, but also AWS keys, Snowflake tokens, and passwords.
- Anti-Detection Measures: The attackers deleted query jobs after execution in an attempt to cover their tracks. Despite this, Google notes that audit logs still contained evidence of their activity.
- Remediation: On August 20, 2025, Salesforce and Salesloft revoked all active Drift OAuth tokens and removed the Drift app from AppExchange while notifying affected customers.
What Happened
The Drift incident highlights systemic weaknesses in SaaS environments rather than flaws in Salesforce itself:
- Persistent OAuth Tokens: These tokens can provide long-lasting access unless manually revoked.
- Over-permissive Integrations: Many connected apps request broad data access, which organizations approve without detailed review.
- Limited API Monitoring: Few enterprises monitor Salesforce API usage closely enough to spot suspicious queries or mass data exports.
- Stored Secrets: Credentials and access keys stored inside Salesforce fields magnified the impact once attackers were inside.
Broader Implications
UNC6395’s campaign fits into a growing trend of attackers targeting SaaS as an initial breach vector. Instead of malware or zero-days, they exploit the trust chain of widely used integrations. The techniques also echo what groups like Scattered Spider have demonstrated: leveraging stolen credentials or tokens, operating with legitimate tools, and blending into normal workflows to evade detection.
This incident reinforces that:
- SaaS ecosystems are now prime targets. One compromised integration can expose critical enterprise data.
- CRM systems hold more than contacts. Business strategy, revenue details, and even downstream access credentials can all be exposed.
- Threat actors are evolving. Campaign-style “live off the land” activity is replacing noisy, easily detected tactics.
How Reveal Security Can Help
Attacks like UNC6395’s Drift campaign demonstrate the importance of monitoring not just login activity, but behavioral anomalies in and across SaaS applications, whether those identities are human or machine. Reveal Security helps organizations address this challenge by:
- Detecting suspicious API activity and OAuth token abuse across Salesforce, Drift, Salesloft, Workday, and many other SaaS platforms.
- Monitoring both human and non-human identities to baseline normal behavior – both at login and post-authentication – and surface anomalies, even when attackers use legitimate tools.
- Correlating identity behavior across SaaS, cloud, and custom applications to identify suspicious activity including lateral movement, recon and credential re-use across the enterprise.
- Spotting behavioral anomalies early, so security teams can respond before attackers can exfiltrate sensitive data or pivot into other systems.
Conclusion
The UNC6395 Drift incident wasn’t about a Salesforce vulnerability. It was about the abuse of trusted integrations and weaknesses in the SaaS ecosystem that enabled attackers to impact more than 700 organizations.
Attackers aren’t focused only on endpoints anymore. They are targeting identities, SaaS applications and the broader SaaS supply chain. They are using stolen credentials and abusing APIs to breach applications. Defending against this requires monitoring for behavioral anomalies in both human and non-human identities across critical SaaS platforms.With Reveal Security, enterprises gain the ability to detect and stop these attacks where they happen: inside the applications that run the business. Contact us to learn more.
