UNC6040_AutoRABIT

UNC6040 Is a Wake-up Call for Salesforce Security Teams

In early June, Google’s threat intelligence team exposed a highly sophisticated social engineering campaign by UNC6040—a group using voice phishing (vishing) and browser extensions to exploit Salesforce access. The result? Sensitive customer data exfiltrated from global enterprises, including Allianz Life.

The kicker? Salesforce itself wasn’t breached. But it was used.

And that’s what makes this a wake-up call.

UPDATE 8/6/2025: Google revealed they also fell victim to the attack, exposing customer data from one of the Salesforce CRM instances.

What Happened

UNC6040 actors impersonated IT admins over the phone, convincing employees to install a malicious Chrome extension. Once installed, it quietly intercepted Salesforce credentials and abused over-permissioned accounts to steal data and plant extortion tools.

This wasn’t a zero-day or malware-driven campaign. It was a permissions, policy, and governance problem.

Top

Why This Matters

You’ve hardened your perimeters. You use MFA. You run security awareness training.

But UNC6040 didn’t need to break your systems—they exploited the gray areas in between.

In Salesforce environments, that “gray area” is often excessive user access, lack of policy enforcement, and no real-time control.

This includes:

  • Too many users with elevated access
  • No guardrails on browser extensions or API behavior
  • No enforcement layer to stop malicious actions once initiated

This is the new threat surface. And it’s growing.

Top

Defending Against Attacks Like UNC6040

Secure systems are still vulnerable to simple mistakes with wide-ranging consequences. Vishing attacks bypass security controls by convincing team members to invite cybercriminals through the front door.

Multiple layers of security combined with intentional best practices and the means to enforce them are critical to repelling these attacks.

Here are four things you can do today to safeguard your data even when users make mistakes—or get tricked:

  • Centralize Risk Visibility: An optimized overview of considerations like profile and permission settings, access control, and export reports enables teams to identify risky behavior.
  • Enforce Least Privilege by Default: Team members only need to access the data they need to perform their duties. Anything beyond that is a risk.
  • Establish Guardrails That Block Risky Behavior: Whether it’s a profile change, data export, or risky field-level access, block anything that doesn’t align with your policies.
  • Classify Sensitive Data: Maps PII, financial data, and regulated fields across your Salesforce orgs so they can be linked to compliance mandates like GDPR and HIPAA.

Top

More Control, Less Complexity

Security shouldn’t come at the cost of speed. Automating the oversight and enforcement of these critical vulnerabilities positions an organization to reduce the risk of vishing attacks.

AutoRABIT Guard provides the control teams need to stay safe and the speed to achieve productivity goals.

  • Create no-code policies to enforce security standards
  • Use Quick Explorer to find misconfigurations fast
  • Automate audits and get compliant without manual work

The result? Your admins move faster. Your org stays secure. Your team doesn’t drown in alerts.

Top

What to Do Next

UNC6040 won’t be the last group to abuse access in Salesforce environments. The question is: will your controls help remediate them?

  • Run a Risk Analysis to identify blind spots in your Salesforce security posture
  • Enforce near real-time policy controls
  • Align permissions with actual user needs

Working with an expert is the only way to know for sure where you stand in the face of increasingly sophisticated cyberattacks. Book a demo to see how AutoRABIT Guard prevents these threats—without slowing your team down.

Josh Rank

Content Marketing Manager