A recent wave of cyberattacks targeting multinational companies has exposed vulnerabilities in cloud-based platforms through the abuse of social engineering. Approximately 20 organizations in sectors such as hospitality, retail, and education fell victim after employees were misled by attackers posing as IT support. The threat actors convinced staff members to install a counterfeit version of Salesforce’s Data Loader, resulting in significant data breaches and extortion attempts. These incidents highlight persistent risks found in the growing reliance on cloud integrations and the use of single sign-on services.
Incidents involving fraudulent IT assistance have surfaced before; however, the combination of targeted voice phishing with malicious Salesforce-related tools represents a shift in tactics. In earlier events, attackers focused predominantly on phishing emails or direct credential theft rather than leveraging elaborate fake application installations. Compared to information reported last year, the inclusion of platforms such as Okta, Microsoft 365, and Workplace in lateral data theft schemes demonstrates broader impact and evolving sophistication among threat groups like UNC6040.
How Attackers Bypassed Cloud Security Measures
Once contact was established, the attackers instructed employees to install what appeared to be a legitimate Salesforce support app. This process exploited cloud authentication protocols like OAuth, paired with routine acceptance of IT requests, which exposed sensitive login details and multi-factor authentication codes. Companies with significant cloud interconnectivity and single sign-on tools, such as Okta, faced heightened risks due to their widespread use and high privilege levels across systems.
Which Platforms Were Targeted Beyond Salesforce?
Although Salesforce served as the initial point of intrusion, attackers expanded their efforts to connected platforms, notably Okta, Microsoft 365, and Workplace. Researchers observed that UNC6040 moved laterally within victim organizations’ infrastructure after securing access, seeking to maximize the amount of accessible and extractable data across these systems.
Why Did Attackers Imitate IT Support Roles?
Attackers leveraged trusted IT support scenarios to establish credibility and urgency with their targets. By simulating common helpdesk interactions and referencing fabricated open support tickets, they prompted employees to follow instructions without suspicion. This approach positioned the threat actors to guide victims through authentic-looking authentication steps, ultimately permitting malicious app installation.
“Attacks like voice phishing are targeted social-engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices,” a Salesforce spokesperson explained.
Salesforce confirmed that its platform security remained intact, emphasizing that successful attacks stemmed from user manipulation and not technical vulnerabilities within Salesforce’s core services. The company has issued updated guidance to remind customers of shared security responsibilities and the threat posed by sophisticated social engineering scams.
While the scope of these attacks is currently confined to about 20 organizations, the incidents underscore the growing complexity of identity-focused threats in enterprise environments. Multinational organizations using cloud ecosystems and federated identity platforms remain attractive targets for groups like UNC6040. Lessons from this case urge organizations to reinforce user training, verify IT support channels, and ensure robust controls over app installations and privilege inheritance. Attackers’ evolving strategies show a trend toward combining voice-based scams with deceptive software distribution to bypass technological defenses, exploiting the human element as the weak link in corporate cybersecurity.
