Modified Salesforce app used in cyber extortion

Google: Hackers used fake Salesforce app and voice phishing to extort companies

A financially motivated hacking group has been caught abusing a modified Salesforce application combined with voice phishing techniques to infiltrate corporate environments, steal sensitive data, and demand ransom. The campaign was detailed by Google Threat Intelligence, which includes researchers from Mandiant and Google’s Threat Analysis Group.

Fake app, real access

The attackers created a deceptive version of Salesforce’s Data Loader app, a tool normally used to manage large data transfers on the platform. Instead of improving workflow efficiency, the malicious app allowed hackers to extract sensitive company data and maintain long-term access.

What made this campaign particularly dangerous was the use of voice phishing, or vishing. The threat group, identified as UNC6040 and linked to the broader cybercriminal ecosystem known as "The Com", directly contacted employees by phone. By impersonating trusted IT staff or vendors, they tricked victims into installing the rogue app, unknowingly granting access via OAuth tokens.

Once the app was installed, attackers exfiltrated large amounts of data. This data was then used to pressure companies with extortion demands. The campaign targeted organizations across industries, including finance and manufacturing.

If you want to learn more about how voice phishing and similar scams work, you can read our article on vishing and smishing here.

No compromise of Salesforce infrastructure

Google clarified that Salesforce itself was not breached. The attackers exploited the platform's third-party integration model. Because users installed the app voluntarily and granted permissions through OAuth, the attackers gained persistent access without triggering traditional security alerts.

This highlights a critical vulnerability in many cloud environments: when permissions and integrations are not properly managed, attackers can exploit human trust instead of technical flaws.

Strengthening defenses: Google’s recommendations

In response to the campaign, Google is urging organizations to adopt a more proactive and layered security posture. Their recommendations focus on configuration hardening and better control over permissions, access, and user behavior.

Key security measures include:

• Apply least privilege principles. Limit access to tools like Data Loader only to users who absolutely need it. The “API Enabled” permission, which allows broad data exports, should be tightly restricted and audited regularly. To better understand how this approach strengthens security, you can read more about the principle of least privilege here.

• Control access to connected apps. Manage which users and roles can authorize or install third-party applications. Restrict powerful permissions like “Customize Application” and “Manage Connected Apps” to trusted administrators only. Consider allowlisting only verified apps and reviewing each new integration.

• Enforce IP restrictions. Set trusted IP ranges for both user profiles and connected apps. This helps block unauthorized login attempts, especially those coming from commercial VPNs or unusual locations.

• Use Salesforce Shield for monitoring. Leverage features like Transaction Security Policies and Event Monitoring to detect suspicious activity, such as large data exports or unusual user behavior. These logs can be integrated into your internal security tools to enable real-time detection and response.

• Implement multi-factor authentication (MFA) across the board. While attackers may try to manipulate users into approving MFA prompts, strong MFA policies remain essential. Organizations should train users to recognize MFA fatigue attacks and report unexpected login requests. If you want to learn more about why MFA is a critical layer of defense, you can read our article on the importance of multi-factor authentication here.

A growing trend of cloud abuse

This campaign illustrates a broader trend where cybercriminals exploit cloud-based tools and social engineering to achieve their goals. Instead of breaking in through technical exploits, they walk through the front door by manipulating users and abusing legitimate access mechanisms.

As companies continue to rely on interconnected cloud services, attackers will keep targeting the weakest links in the chain: permissions, people, and trust.

Bottom line

Modern cyberattacks do not always rely on malware or zero-days. Sometimes, all it takes is a phone call and a convincing fake app. Security today demands more than just technology — it requires vigilance, policy enforcement, and a clear understanding of how trust can be exploited.