What Can Be Learned from the Voice‑Phishing Attack on Salesforce Data

A troubling security incident recently saw a group of hackers, tracked as UNC6040, employ voice‑phishing, or “vishing," calls to deceive employees at approximately twenty U.S. and European companies. By impersonating IT support personnel, attackers convinced staff to install a malicious version of Salesforce’s Data Loader tool. Once installed, the trojanized tool granted full access to the organizations’ Salesforce environments, allowing extensive data exfiltration.

So, what can be learned from this data breach?

First, the attack underscores the enduring power of social engineering. Despite advanced technical defenses, human trust remains a critical vulnerability. In this case, employees believed they were following legitimate IT procedures. The attackers leveraged that trust, negating the need for any software exploit. It serves as a reminder: Cybersecurity is only as strong as the people protecting it.

Next, the campaign highlights the danger of fraudulent apps masquerading as trusted tools. By cloning the Data Loader, the hackers bypassed traditional malware detection. Organizations must treat third-party tools with skepticism and enforce strict vetting, even when branded by well-known vendors .

Least privilege access is essential. Google’s Threat Intelligence Group notes that once the malicious app was approved, attackers could exfiltrate vast amounts of data—and pivot to other systems like Microsoft 365 and Okta. Companies should restrict connected app permissions and conduct regular audits to ensure no unauthorized third-party apps have access.

Voice‑phishing remains a growing threat. The transition from email-based phishing to sophisticated vishing techniques demonstrates that telephone channels are a viable attack path—with caller ID spoofing and even human impersonation enabling higher success rates.

Finally, preparedness and response matter. In some cases, hackers delayed extortion demands by months after initial infiltration, indicating the value of continuous monitoring and incident response plans. Regular security training, simulated vishing exercises, and proactive detection tools can greatly enhance resilience.

In summary, this campaign teaches several vital lessons: Prioritize cybersecurity culture, vet external apps rigorously, enforce least privileges, and treat phone‑based social engineering as a serious threat.

Dynamic vigilance across people, processes, and platforms remains the best defense, so contact GCG and let our team help protect your organization's data today!