C0059: Salesforce Data Exfiltration
The Salesforce Data Exfiltration campaign began in October 2024 with financially-motivated threat actor UNC6040 using Spearphishing Voice (vishing) to compromise corporate Salesforce instances for large-scale data theft and extortion. Following the initial data theft, victim organizations received extortion demands from a separate threat actor, UNC6240, who claimed to be the “ShinyHunters” group. The observed infrastructure and TTPs used during the Salesforce Data Exfiltration campaign overlap with those used by threat groups with suspected ties to the broader collective known as "The Com.” These overlaps could plausibly be the result of associated actors operating within the same communities and are not necessarily an indication of a direct operational relationship.[1][2]
Analyst context for executives and security teams
This campaign matters because it frames CRM data theft as a business-continuity and extortion risk, not just a phishing problem. The supplied ATT&CK description says actors used voice spearphishing to compromise corporate Salesforce instances, steal data at scale, and support extortion demands. For leaders, the key decision is whether Salesforce and related SaaS access, integrations, and export activity are governed and monitored with the same rigor as core identity and financial systems.
Executive priority
Prioritize validation of identity controls, SaaS administration, CRM data governance, and incident response playbooks for data-theft extortion scenarios. Executives should ask: who can approve or install Salesforce/OAuth integrations, who can export customer data, how quickly can anomalous CRM access be investigated, and what evidence would support breach assessment, customer notification, and regulator-facing reporting. This object is especially relevant to cloud security, IAM, SOC readiness, IR retainers, compliance evidence, and customer-data risk management.
Technical view
ATT&CK provides no campaign-specific detection text, so defenders should build coverage from the described behavior and related techniques: voice spearphishing for information, impersonation, abuse of domain accounts, CRM data collection, SaaS/OAuth application integration persistence, automated exfiltration, exfiltration over web services, proxy and multi-hop proxy use including Tor, and possible Python/tooling activity. SOC teams should validate Salesforce audit logging, identity-provider logs, OAuth consent/application events, CRM export/API activity, anomalous session origin changes, and network egress indicators associated with proxies or Tor where applicable.
Likely telemetry
- Salesforce login, session, API, report/export, bulk data access, administrative, and integration audit events
- Identity provider authentication logs, MFA events, conditional access decisions, domain account activity, and password/reset or recovery events
- OAuth consent, connected-app creation, permission grant, token issuance, and token reuse events for SaaS environments
- Help desk, call center, and security awareness reporting for voice phishing and impersonation attempts
- Network egress logs, proxy logs, DNS logs, TLS metadata, and firewall events showing access to external web services, proxies, multi-hop infrastructure, or Tor-related traffic
Detection direction
- Confirm that Salesforce and other CRM audit logs are enabled, retained long enough for investigations, and correlated with identity-provider authentication events.
- Baseline normal CRM export, API, reporting, and integration behavior by user role so large-scale or unusual data access can be triaged without relying only on static indicators.
- Tune detections for impossible travel, new device or location access, MFA fatigue or recovery anomalies, new OAuth/connected applications, high-volume object queries, and unusual use of privileged or domain accounts.
- Treat voice phishing reports as security telemetry: correlate help desk calls, user reports, and identity events around the same time window.
- Add context for proxies, multi-hop proxy behavior, and Tor, but avoid assuming all anonymized traffic is malicious; focus on correlation with CRM access, new sessions, or export behavior.
Mitigation priorities
- Harden identity first: enforce phishing-resistant MFA where feasible, conditional access, least privilege, and rapid credential/session revocation for Salesforce and domain accounts.
- Govern SaaS integrations: require approval for OAuth/connected apps, restrict high-risk scopes, review existing integrations, and monitor token activity.
- Limit CRM data exposure through role-based access, export restrictions, segmentation of sensitive customer fields, and periodic entitlement reviews.
- Prepare IR procedures for SaaS data theft: preserve Salesforce and IdP logs, identify affected objects/records, revoke tokens, disable suspicious integrations, and coordinate legal/compliance notification workflows.
- Train help desk and business users on voice phishing and impersonation scenarios, including verification procedures for requests involving credentials, MFA, links, or SaaS access.
Analyst notes and limits
The official description identifies a financially motivated campaign involving Salesforce compromise, data theft, and extortion demands, with reported use of vishing and overlaps with communities associated with “The Com.” The relationship set materially broadens defensive planning across reconnaissance, resource development, identity abuse, SaaS persistence, CRM collection, proxy use, and exfiltration. The most important local validation question is whether the organization can reconstruct who accessed and exported CRM data, through which identity path and integration, and over what time period.
ATT&CK does not provide official detection guidance for this campaign, and the campaign object itself lists no platforms or tactics. Platform references in this take are limited to the official description’s Salesforce/CRM context and related ATT&CK techniques such as SaaS, Office Suite, Windows, Linux, macOS, ESXi, Network Devices, and PRE where applicable. Local telemetry, Salesforce configuration, identity architecture, and integration inventory are required to determine actual exposure or coverage.
Salesforce Data Exfiltration
The Salesforce Data Exfiltration campaign began in October 2024 with financially-motivated threat actor UNC6040 using Spearphishing Voice (vishing) to compromise corporate Salesforce instances for large-scale data theft and extortion. Following the initial data theft, victim organizations received extortion demands from a separate threat actor, UNC6240, who claimed to be the “ShinyHunters” group. The observed infrastructure and TTPs used during the Salesforce Data Exfiltration campaign overlap with those used by threat groups with suspected ties to the broader collective known as "The Com.” These overlaps could plausibly be the result of associated actors operating within the same communities and are not necessarily an indication of a direct operational relationship.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1684.001 | Impersonation Sub-technique | During Salesforce Data Exfiltration, threat actors impersonated IT support personnel in voice calls with victims at times claiming to be addressing enterprise-wide connectivity issues.CitationGoogle Salesforce JUN 2025CitationFBI Salesforce Data Theft SEP 2025 |
| Enterprise | T1608.005 | Link Target Sub-technique | During Salesforce Data Exfiltration, threat actors established an Okta phishing panel which victims were tricked into accessing from mobile phones or work computers during social engineering calls.CitationFBI Salesforce Data Theft SEP 2025CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1059.006 | Python Sub-technique | During Salesforce Data Exfiltration, threat actors used custom applications developed in python.CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1213.004 | Customer Relationship Management Software Sub-technique | During Salesforce Data Exfiltration, threat actors accessed and exfiltrated sensitive information from compromised Salesforce instances.CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1671 | Cloud Application Integration | During Salesforce Data Exfiltration, threat actors deceived victims into authorizing malicious connected apps to their organization's Salesforce portal.CitationFBI Salesforce Data Theft SEP 2025CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | During Salesforce Data Exfiltration, threat actors used compromised credentials for lateral movement.CitationFBI Salesforce Data Theft SEP 2025CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1567 | Exfiltration Over Web Service | During Salesforce Data Exfiltration, threat actors exfiltrated data via legitimate Salesforce API communication channels including the Salesforce Data Loader application.CitationGoogle Salesforce JUN 2025CitationFBI Salesforce Data Theft SEP 2025 |
| Enterprise | T1036 | Masquerading | During Salesforce Data Exfiltration, threat actors used voice calls to socially engineer victims into authorizing a modified version of the Salesforce Data Loader app.CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1090 | Proxy | During Salesforce Data Exfiltration, threat actors used Mullvad VPN IPs to proxy voice phishing calls.CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | During Salesforce Data Exfiltration, threat actors registered emails shinycorp@tuta[.]com and shinygroup@tuta[.]com to send victims extortion demands.CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1083 | File and Directory Discovery | During Salesforce Data Exfiltration, threat actors queried customers' Salesforce environments to identify sensitive information for exfiltration.CitationFBI Salesforce Data Theft SEP 2025 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | During Salesforce Data Exfiltration, threat actors used Tor IPs for voice calls and for the collection of stolen data.CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1585 | Establish Accounts | During Salesforce Data Exfiltration, threat actors created Salesforce trial accounts to register their malicious applications.CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1587.001 | Malware Sub-technique | During Salesforce Data Exfiltration, threat actors created malicious applications within Salesforce trial accounts, typically Python scripts with similar function to the Salesforce Data Loader.CitationFBI Salesforce Data Theft SEP 2025CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1588.002 | Tool Sub-technique | During Salesforce Data Exfiltration, threat actors initially relied on the legitimate Salesforce Data Loader app for data exfiltration.CitationGoogle Salesforce JUN 2025CitationFBI Salesforce Data Theft SEP 2025 |
| Enterprise | T1020 | Automated Exfiltration | During Salesforce Data Exfiltration, threat actors used API queries to automatically exfiltrate large volumes of data.CitationFBI Salesforce Data Theft SEP 2025 |
| Enterprise | T1586.002 | Email Accounts Sub-technique | During Salesforce Data Exfiltration, threat actors used compromised emails to create Salesforce trial accounts.CitationGoogle Salesforce JUN 2025 |
| Enterprise | T1598.004 | Spearphishing Voice Sub-technique | During Salesforce Data Exfiltration, threat actors initiated voice calls with victims to socially engineer them into authorizing malicious applications or divulging sensitive credentials.CitationFBI Salesforce Data Theft SEP 2025CitationGoogle Salesforce JUN 2025 |
Groups, software, and campaigns
S0183: Tor
Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ee83c93e765e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FBI Salesforce Data Theft SEP 2025
FBI Cyber Division. (2025, September 12). Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion. Retrieved October 22, 2025.
Open source URL -
[2]
Google Salesforce JUN 2025
Google Threat Intelligence Group. (2025, June 4). The Cost of a Call: From Voice Phishing to Data Extortion. Retrieved October 22, 2025.
Open source URL -
[3]
mitre-attack C0059Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.