Date window: June–Aug 2025 (public disclosures in Aug)
Victim: Google (corporate Salesforce instance)
Threat actors: UNC6040 / ShinyHunters (vishing-led Salesforce intrusions)
1) Executive Summary
Google confirmed that attackers accessed a corporate Salesforce system and pulled business contact information (customer/company names and similar fields). Google states no passwords or payment data were exposed and consumer Gmail/Google Cloud accounts were not breached. Media reports warn that the fallout is large-scale phishing and vishing campaigns that could target “over 2B users,” weaponizing the contact data and brand trust. Fox News
Translation for leadership: this is primarily a SaaS supply-chain exposure with high downstream social-engineering risk, not a credential dump. Salesforce Bencloudprotection.withsecure.com
2) Timeline (condensed)
-
June 2025: Adversary activity against Salesforce instances via voice-phishing and malicious connected apps documented by Google Threat Intelligence (GTIG). Google Cloud
-
Aug 7–16, 2025: Reports indicate Google’s Salesforce instance was among victims; Google confirms business contact data exposure; Salesforce community advisories follow. Dark ReadingSalesforce Ben
-
Late Aug 2025: Broad coverage urges vigilance as mass phishing/vishing ramps up; “2B+ users at risk” headlines spread. Fox NewsTom's Guide
3) Technical Analysis (ATT&CK-mapped)
Initial Access (Social Engineering/Vishing)
-
Call-center style operators impersonate IT, convincing staff to authorize a malicious Salesforce Connected App (often masquerading as Data Loader).
-
ATT&CK: T1566 (Phishing), T1204 (User Execution), T1199 (Trusted Relationship). Google CloudDark Reading
Persistence & Credential Abuse
-
Abuse of OAuth tokens / Connected App with scopes such as
api,refresh_tokento maintain access. -
ATT&CK: T1550.001 (Use of Web Tokens), T1136 (Create Account) (via integration), T1098 (Account Manipulation). Google Cloud
Collection & Exfiltration
-
Bulk extraction through Salesforce REST/Bulk APIs (Contacts, Leads, Accounts, Notes).
-
ATT&CK: T1530 (Data from Cloud Storage), T1567 (Exfiltration over Web Services). Google Cloud
Scope of Data
-
“Basic business contact details and sales notes” for prospects/SMBs; passwords not included. cloudprotection.withsecure.comFox News
4) Impact & Risk
-
Direct exposure: Corporate contact data (names, emails, phones, org details). Fox Newscloudprotection.withsecure.com
-
Primary risk: Mass phishing / vishing (BEC, MFA-fatigue, cookie theft), brand impersonation, and targeted social engineering at scale (“2B users at phishing risk” framing in press). Fox NewsTom's Guide
-
Secondary risk: Intelligence for spear-phishing against admins and high-value accounts (C-suite, finance, ad-buyers, Workspace tenants). Google Cloud
5) Detection & Hunting Playbook (SOC-ready)
Salesforce (Event Monitoring / Shield)
-
API anomalies:
-
Sudden Bulk API exports (Contacts/Leads/Accounts).
-
Connected App usage outside usual ASNs/geos.
-
-
Signals to hunt:
-
New Connected App with high-risk scopes (
full,api,refresh_token). -
LoginEvent spikes, atypical SessionHijackingEvent patterns, impossible travel.
-
Unusual ReportExportEvent and UriEvent against
/services/data/vXX.X/*. Google Cloud
-
Sample SIEM queries (pseudocode)
-
Unusual Connected App auth
-
Bulk exports after hours
Enterprise perimeter
-
Correlate unusual egress to Salesforce IP ranges after high-volume API calls.
-
Detect token reuse from new IP/ASN without SSO step-up. Google Cloud
6) Containment & Eradication
-
Kill access paths
-
Revoke tokens for suspicious Connected Apps; rotate OAuth client secrets.
-
Temporarily block the app via App Manager; enforce IP allowlists for API. Google Cloud
-
Identity hardening
-
Enforce MFA and SSO for all Salesforce users (no exceptions for vendors/contractors).
-
Enable device/context conditions (geo/ASN, managed device only). Salesforce Ben
-
Telemetry upgrades
-
Turn on Salesforce Shield Event Monitoring with real-time streaming to SIEM.
-
Baseline API volume per user/app; alert on deviations. Google Cloud
7) Prevention & Resilience (CISO checklist)
-
Zero-Trust for SaaS: Conditional access, least-privilege OAuth scopes, deny-by-default Connected Apps. Google Cloud
-
Vishing defense: Mandatory callback + ticket policy for any IT request; never authorize apps over the phone. Provide a vishing runbook. Google Cloud
-
Data minimization: Remove legacy exports, redact PII in CRM notes, enable field-level DLP. cloudprotection.withsecure.com
-
Customer assurance: Communicate scope (no passwords), coach on phishing tells, promote passkeys and Security Checkup. Proton
8) Guidance for End Users (publish externally)
-
Google will not call you about account security. Treat 650-area-code calls/emails as suspicious; go to myaccount.google.com yourself.
-
Turn on 2-Step Verification/Passkeys, run Security Checkup, rotate passwords where reused. Tom's GuideProton
9) What’s confirmed vs. media framing
-
Confirmed by/around Google & industry: Corporate Salesforce data accessed; mostly business contact info; no passwords; consumer accounts not breached. Fox NewsSalesforce Bencloudprotection.withsecure.com
-
Media framing: “Over 2B/Gmail users at phishing risk” reflects the scale of potential targeting, not proof that 2B records were stolen. Use it as risk context, not breach size. Fox NewsTom's Guide
10) CyberDudeBivash POV
This incident isn’t about “passwords spilled.” It’s about SaaS trust boundaries and how voice-social engineering + OAuth can pivot into mass social-engineering campaigns. Your best defense: SaaS hardening + hypothesis-driven hunting focused on Connected App abuse and abnormal API activity. Google Cloud
#CyberDudeBivash #ThreatWire #Google #SalesforceSecurity #DataBreach #Phishing #Vishing #ShinyHunters #UNC6040 #ZeroTrust #SaaS #IncidentResponse #ThreatHunting #MITREATTACK