Monday, September 1, 2025
Cloud Security

Salesloft Attacks Target Google Workspace

by CybrGPT
0 comment

A recently discovered supply chain attack campaign targeting Salesforce data via the Salesloft Drift app is more extensive than at first thought.

Google (GTIG) revealed in a post late last week that threat actors had not just targeted the Salesforce integration with Salesloft Drift, but also a “very small number” of Google Workspace accounts.

“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” it warned.

“We recommend organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.”

Read more on Salesloft: New Data Theft Campaign Targets Salesforce via Salesloft App

The campaign came to light last week after GTIG claimed an actor tracked as UNC6395 had targeted “numerous” Salesforce customer instances between August 8 and August 18, systematically exfiltrating large volumes of data.

At the time, it said the focus for the actor was harvesting credentials such as AWS access keys (AKIA), passwords and Snowflake-related access tokens. Hundreds of organizations are thought to have been impacted.

The hackers compromised corporate Salesforce instances after stealing OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce. No vulnerabilities were identified in Salesforce or Google platforms.

New IoCs and Activity Spotted

Security vendor Astrix revealed 183 previously undisclosed IP-based indicators of compromise (IoCs) connected to the campaign, all of which are Tor exit nodes. That activity was linked to a malicious AWS account that used bucket names extracted from the compromised Salesforce environments in an attempt to access S3 buckets.

“Failed authentication attempts inadvertently exposed the threat actor’s AWS account ID,” Astrix explained.

“Our analysis indicates this malicious AWS account initiated operations in early August 2025, coinciding with the broader campaign timeline.”

The security vendor urged organizations to improve OAuth token management across all of their cloud accounts.

Image credit: gguy / Shutterstock.com

Source link

You Might Be Interested In

You may also like

#RSAC Innovation Sandbox Crowns Latest and Greatest New Vendors

#RSAC: Encourage Collaboration and Simplify Controls to Better Enable Users

#RSAC: Review Your GDPR State, Biometric Collections and Cyber Insurance

Educating Non-Technical Employees on the Risks Of Shadow IT

How the Cloud Complicates the Digital Crime Scene

The Digital Transformation Journey: Why Security is Key

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Stay informed with the latest in cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

Facebook Twitter Instagram
BuyBitcoinFiveMinute

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

© 2025 cybrgpt.com – All rights reserved.

@2025 - All Right Reserved.
View Cart Checkout Continue Shopping
Close