The Federal Bureau of Investigation (FBI) has launched a flash alert detailing the actions of two cybercriminal teams, UNC6040 and UNC6395, which are actively compromising Salesforce environments to steal information for extortion functions.
The advisory, revealed by the FBI on September 12, 2025, gives indicators of compromise (IOCs) and defensive measures to assist organizations shield towards these ongoing campaigns that leverage distinct ways to attain their targets.
Right here is the detailed protection of Classes from Salesforce/Salesloft Drift Knowledge Breaches – Detailed Case Research.
UNC6040’s Social Engineering Marketing campaign
Since a minimum of October 2024, the group tracked as UNC6040 has been utilizing social engineering, notably voice phishing (vishing), to realize preliminary entry.
The risk actors name a corporation’s assist desk, posing as IT assist employees, trying to resolve a faux technical difficulty. Throughout these calls, they persuade workers to both share their credentials or grant the attackers entry to the corporate’s Salesforce occasion.
A key tactic entails tricking workers into authorizing a malicious “related app” inside the Salesforce portal. This app is usually a modified model of the reliable Salesforce Knowledge Loader software.
By convincing a person with ample privileges to approve the appliance, UNC6040 positive aspects persistent entry through OAuth tokens issued by Salesforce.
This technique can bypass safety controls like multi-factor authentication (MFA) and password resets, because the exercise seems to originate from a trusted, built-in software.
The attackers then use API queries to exfiltrate massive volumes of knowledge. Following the information theft, some victims have obtained extortion emails from the infamous “ShinyHunters” group, demanding fee to stop the general public launch of the stolen info.
UNC6395 Exploits Third-Get together Integration
The second group, UNC6395, employed a unique technique to breach Salesforce situations. In August 2025, these actors exploited compromised OAuth tokens related to the Salesloft Drift software, an AI-powered chatbot that integrates with Salesforce.
By utilizing these compromised third-party tokens, the group was capable of entry and exfiltrate information from the sufferer’s Salesforce atmosphere, highlighting the safety dangers posed by third-party software integrations.
In response to this marketing campaign, Salesloft and Salesforce collaborated to revoke all lively entry and refresh tokens for the Drift software on August 20, 2025. This motion efficiently terminated the risk actors’ entry to the compromised Salesforce platforms by way of this particular vector.250912.pdf
The FBI has launched an intensive record of IOCs, together with IP addresses, malicious URLs, and user-agent strings related to each UNC6040 and UNC6395, to assist community defenders detect and block associated exercise. The company strongly recommends that organizations take a number of steps to mitigate the chance of compromise.
After all, right here is the desk with the Indicators of Compromise, with the IP addresses formatted as requested.
UNC6040 Indicators of Compromise
IoC TypeIndicatorIP Address13.67.175[.]79IP Address20.190.130[.]40IP Address20.190.151[.]38IP Address20.190.157[.]160IP Address20.190.157[.]98IP Address23.145.40[.]165IP Address23.145.40[.]167IP Address23.145.40[.]99IP Address23.162.8[.]66IP Address23.234.69[.]167IP Address23.94.126[.]63IP Address31.58.169[.]85IP Address31.58.169[.]92IP Address31.58.169[.]96IP Address34.86.51[.]128IP Address35.186.181[.]1IP Address37.19.200[.]132IP Address37.19.200[.]141IP Address37.19.200[.]154IP Address37.19.200[.]167IP Address37.19.221[.]179IP Address38.22.104[.]226IP Address45.83.220[.]206IP Address51.89.240[.]10IP Address64.95.11[.]225IP Address64.95.84[.]159IP Address66.63.167[.]122IP Address67.217.228[.]216IP Address68.235.43[.]202IP Address68.235.46[.]22IP Address68.235.46[.]202IP Address68.235.46[.]151IP Address68.235.46[.]208IP Address68.63.167[.]122IP Address69.246.124[.]204IP Address72.5.42[.]72IP Address79.127.217[.]44IP Address83.147.52[.]41IP Address87.120.112[.]134IP Address94.156.167[.]237IP Address96.44.189[.]109IP Address96.44.191[.]141IP Address96.44.191[.]157IP Address104.223.118[.]62IP Address104.193.135[.]221IP Address141.98.252[.]189IP Address146.70.165[.]47IP Address146.70.168[.]239IP Address146.70.173[.]60IP Address146.70.185[.]47IP Address146.70.189[.]47IP Address146.70.189[.]111IP Address146.70.198[.]112IP Address146.70.211[.]55IP Address146.70.211[.]119IP Address146.70.211[.]183IP Address147.161.173[.]90IP Address149.22.81[.]201IP Address151.242.41[.]182IP Address151.242.58[.]76IP Address163.5.149[.]152IP Address185.141.119[.]136IP Address185.141.119[.]138IP Address185.141.119[.]151IP Address185.141.119[.]166IP Address185.141.119[.]168IP Address185.141.119[.]181IP Address185.141.119[.]184IP Address185.141.119[.]185IP Address185.209.199[.]56IP Address191.96.207[.]201IP Address192.198.82[.]235IP Address195.54.130[.]100IP Address196.251.83[.]162IP Address198.44.129[.]56IP Address198.44.129[.]88IP Address198.244.224[.]200IP Address198.54.130[.]100IP Address198.54.130[.]108IP Address198.54.133[.]123IP Address205.234.181[.]14IP Address206.217.206[.]14IP Address206.217.206[.]25IP Address206.217.206[.]26IP Address206.217.206[.]64IP Address206.217.206[.]84IP Address206.217.206[.]104IP Address206.217.206[.]124IP Address208.131.130[.]53IP Address208.131.130[.]71IP Address208.131.130[.]91URLLogin[.]salesforce[.]com/setup/join?user_code=aKYF7V5NURLLogin.salesforce.com/setup/join?user_code=8KCQGTVUURLhttps://assist[victim][.]comURLhttps://login[.]salesforce[.]com/setup/connectURLhttp://64.95.11[.]112/good day.phpURL91.199.42.164/login
UNC6395 Indicators of Compromise
IoC TypeIndicatorIP Address208.68.36[.]90IP Address44.215.108[.]109IP Address154.41.95[.]2IP Address176.65.149[.]100IP Address179.43.159[.]198IP Address185.130.47[.]58IP Address185.207.107[.]130IP Address185.220.101[.]33IP Address185.220.101[.]133IP Address185.220.101[.]143IP Address185.220.101[.]164IP Address185.220.101[.]167IP Address185.220.101[.]169IP Address185.220.101[.]180IP Address185.220.101[.]185IP Address192.42.116[.]20IP Address192.42.116[.]179IP Address194.15.36[.]117IP Address195.47.238[.]83IP Address195.47.238[.]178User-AgentSalesforce-Multi-Org-Fetcher/1.0User-AgentSalesforce-CLI/1.0User-Agentpython-requests/2.32.4User-AgentPython/3.11 aiohttp/3.12.15
Key suggestions embrace coaching workers, particularly name middle employees, to acknowledge and report phishing and vishing makes an attempt.
The FBI additionally advises imposing phishing-resistant MFA throughout all doable companies, making use of the precept of least privilege to person accounts, and implementing strict IP-based entry restrictions.
Moreover, organizations ought to repeatedly monitor community logs and API utilization for anomalous habits indicative of knowledge exfiltration and frequently overview all third-party software integrations related to their software program platforms, rotating API keys and credentials regularly.
Discover this Story Attention-grabbing! Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates.
