Listen to this Post
The New Cybercrime Playbook: Voice Phishing Meets Cloud Intrusion
A newly uncovered social-engineering campaign has revealed how cybercriminals continue to exploit human vulnerabilities in highly connected cloud environments. Googleās Threat Intelligence Group has identified a financially motivated hacking group, UNC6040, as the orchestrators behind a string of targeted attacks on Salesforce customers. The attackers tricked employees from approximately 20 companies across the Americas and Europe into installing a counterfeit version of Salesforceās Data Loader tool. This manipulation enabled the hackers to breach cloud networks, harvest sensitive data, and attempt extortion. As enterprise ecosystems increasingly adopt cloud integrations, identity-based threats are becoming more dangerous, especially when attackers impersonate trusted IT personnel and bypass technical safeguards like multi-factor authentication.
Campaign Summary: A 30-Line Overview of the Threat
UNC6040, a financially motivated cybercrime group, has successfully breached the systems of about 20 organizations by exploiting human error, rather than software vulnerabilities. The group posed as IT support personnel and manipulated employees into installing a malicious version of Salesforce’s Data Loader. By doing so, they were able to capture credentials and authentication codes, gain unauthorized access to corporate systems, and conduct further infiltration into connected services such as Okta, Microsoft 365, and Workplace. These targeted attacks have primarily affected sectors like hospitality, retail, and education, with companies based across North and South America as well as Europe.
Googleās analysis reveals that UNC6040 initiated the breaches by calling employees and falsely claiming there was an open IT ticket. Victims were directed to phishing websites, including fake Salesforce pages, where they were tricked into entering OAuth-based codes, effectively granting hackers backend access to their cloud infrastructure. From there, attackers exfiltrated data and began moving laterally to infiltrate associated platforms. Google suspects UNC6040 has some operational similarities to a cybercriminal syndicate known as “The Com,” although UNC6040 appears to specialize in targeting Salesforce data specifically.
Salesforce itself maintains that their platform has no inherent vulnerabilities, asserting that the breaches occurred due to social engineering and user missteps. The company reiterated that security must be a shared responsibility between the platform provider and its users. Despite the limited scale of affected organizations, the nature of this campaign demonstrates the evolving sophistication of phishing and identity-based intrusions, especially as companies rely on integrations and single sign-on systems that can be compromised through a single userās error.
What Undercode Say:
Human Weakness Remains the Ultimate Backdoor
UNC6040ās attack strategy highlights a brutal truth in cybersecurity: technology isnāt always the weakest link ā humans are. Despite Salesforceās platform-level security, attackers needed only to exploit one user’s misplaced trust to unlock entire systems. This tactic circumvents technical controls like OAuth and MFA, which are often considered security cornerstones, proving that social-engineering attacks can neutralize even the most advanced protocols when users arenāt adequately trained.
Cloud Complexity Creates Opportunity
Modern corporate environments thrive on cloud-based services and integrated ecosystems, but this interconnectivity also expands the attack surface. When one platform is breached, attackers can cascade into others. UNC6040ās campaign showcases this danger. Gaining access to Salesforce allowed lateral movement into services like Okta and Microsoft 365, escalating the scope of compromise. As companies continue to adopt tools that streamline access across departments, attackers are increasingly targeting these integration points.
Voice Phishing: The Silent Killer
Voice phishing (vishing) is resurging as a weapon of choice. Employees are more likely to comply when a seemingly knowledgeable IT support agent calls them directly. By crafting believable narratives and mimicking internal processes, attackers manipulate users into surrendering credentials or installing rogue applications. The fact that this campaign succeeded using fake IT tickets and eight-digit verification codes shows how social-engineering tactics are evolving beyond simple email lures.
Identity-Based Security Is No Longer Enough
Traditional identity protection methods such as MFA, OAuth, and SSO are being outmaneuvered. Once a user is compromised, all connected systems become vulnerable. Security teams must now think beyond basic authentication and embrace real-time behavior monitoring, risk scoring, and zero-trust architectures. Trusting user identity is no longer safe ā validating behavior is the new frontier.
Salesforce Is Technically Secure, But Operationally Vulnerable
Salesforceās statement is technically accurate: no flaws were found in the core system. But this distinction provides little comfort when attackers manipulate users into granting OAuth permissions or installing unauthorized apps. Organizations using Salesforce must implement stronger controls over application permissions and actively monitor third-party app installations.
Global Threat with Targeted Focus
The campaignās focus on English-speaking employees at multinational firms hints at a higher degree of planning. Itās not just random spam or opportunistic attacks ā this is tailored exploitation. UNC6040 is leveraging language familiarity, employee trust, and internal IT processes to maximize effectiveness. The groupās potential link to āThe Comā shows theyāre not lone wolves but possibly part of a broader ecosystem of cybercrime, collaborating and evolving strategies.
Security Training Isnāt Optional Anymore
Every organization must recognize that employee education is a frontline defense. If even one employee doesnāt know how to spot a phishing call or validate an IT ticket, the entire company is at risk. Routine training, simulated phishing tests, and clear escalation paths are critical to reducing the success rate of these attacks.
Policy and Technology Must Work Together
Security protocols must be matched with enforceable policies. For instance, no IT request should ever be fulfilled via voice or unverified links. Application installations should require admin-level review. These policies need to be actively enforced and audited, not just published and forgotten.
Future Campaigns Will Be Worse
UNC6040 has shown how easy it is to leverage trust to bypass tech defenses. As AI-generated voices and deepfakes become more common, attackers will refine their impersonation skills. This campaign is just the beginning. Future attacks could include multi-language support, real-time impersonation, and even AI-generated call scripts that mimic real employees or IT staff.
Fact Checker Results ā
Salesforceās platform itself was not breached due to a system vulnerability ā
The campaign exploited employee trust via voice phishing, not technical flaws ā
Approximately 20 organizations were affected across multiple continents š
Prediction š®
As cloud ecosystems become increasingly interconnected, we can expect more social-engineering campaigns targeting privileged applications like Salesforce, Microsoft 365, and Okta. The next wave of attacks may utilize AI to simulate internal IT communication, making phishing efforts even harder to detect. Without widespread user training, behavioral monitoring, and zero-trust enforcement, companies will remain vulnerable ā not because of weak systems, but because of unprepared people. šØš§ š»
References:
Reported By: cyberscoop.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
