Salesforce “Connected Apps” Supply-Chain Campaign (UNC6040 / UNC6395) — ShinyHunters & Scattered Spider Overlap

1. Executive Summary

A widespread data-theft and extortion campaign has targeted organisations’ Salesforce environments by abusing trusted third-party integrations and malicious OAuth “Connected Apps”—rather than exploiting a core Salesforce software vulnerability. According to an FBI FLASH advisory on UNC6040 and UNC6395, the activity involves two distinct access paths: (1) voice phishing (vishing) to coerce staff into authorising malicious connected apps, and (2) supply-chain token compromise involving Salesloft Drift (and later ecosystem knock-on effects).
Multiple major brands publicly disclosed impacts consistent with this tradecraft—including Google, Cisco, Farmers Insurance, Pandora, Chanel, Workday, and TransUnion—highlighting the operational risk created by SaaS “app sprawl” and inherited trust relationships. (cybersecuritydive.com)
Reporting frequently links the campaign to the ShinyHunters extortion brand and tradecraft strongly associated with Scattered Spider; however, public attribution is uneven across sources and should be treated with measured confidence. (cybersecuritydive.com)

2. Contextual Background

2.1 Nature of the threat (no CVE-driven platform exploit)

Public and government reporting consistently states the incidents did not stem from a vulnerability in Salesforce’s core platform, but from social engineering, OAuth token abuse, and third-party integration compromise:

Salesforce guidance on resisting social engineering and hardening configurations: Salesforce guidance: Protect against social engineering. (Salesforce)
Google Threat Intelligence Group (GTIG) write-up on data theft via compromised Salesloft Drift OAuth tokens: GTIG: Data theft via Salesloft Drift. (Google Cloud)
Salesforce advisories for third-party app incidents (examples):
- Salesforce status advisory: Gainsight “unusual activity” and Salesforce Help article: Gainsight advisory detail. (status.salesforce.com)
- Salesforce status advisory: Salesloft/Drift integration response and Salesforce Help article: third-party app incident response. (status.salesforce.com)

2.2 Threat-actor attribution and confidence

Observed/Reported naming varies by publisher:

The FBI FLASH on UNC6040/UNC6395 uses UNC tracking identifiers and focuses on behaviours, IOCs, and mitigations.
Open reporting indicates some victims received extortion demands from actors styling themselves as ShinyHunters following initial access. (cybersecuritydive.com)
Several CTI and industry sources argue there is meaningful operational overlap with Scattered Spider’s hallmark helpdesk/vishing tradecraft, and CISA has separately documented Scattered Spider’s broader social engineering posture. (cisa.gov)

Confidence (Admiralty/NATO-style): Likely.
Rationale: Government/major-vendor reporting strongly supports the tradecraft and intrusion pathways, while the ShinyHunters “brand” appears in extortion context; however, direct public, authoritative confirmation of unified operator identity across all incidents is inconsistent. (cybersecuritydive.com)

2.3 Sector and geographic targeting

Disclosed victims span technology, insurance/financial services, retail/luxury goods, and consumer brands, consistent with opportunistic targeting of organisations with large CRM datasets and high reputational leverage. (obsidiansecurity.com)
The FBI FLASH describes calling patterns aimed at call centres/customer support functions, which often operate across multiple geographies and third-party providers—creating an expanded attack surface.

3. Technical Analysis

3.1 Attack chain and mapped TTPs (MITRE ATT&CK)

Path A — Vishing → Malicious Connected App → Bulk API exfiltration

Voice phishing (vishing) to impersonate IT/support and direct staff to authorise an app or share credentials/MFA codes. (T1566.004)
OAuth “Connected App” abuse: victims are guided to Salesforce’s connected app authorisation flow; a modified/masqueraded Data Loader-style app captures tokens. (T1528)
Valid account / token-based access used to query and export CRM data via APIs. (T1078)
Data from information repositories (CRM records) and exfiltration over web services. (T1213) / (T1567) (obsidiansecurity.com)

Path B — Supply chain / third-party integration tokens (Salesloft Drift)

Trusted relationship abuse where compromised third-party app tokens are used to access customer Salesforce instances. (T1199) (Google Cloud)
Token revocation and containment: Salesloft/Salesforce revoked Drift tokens and removed/disabled integrations as part of incident response. (Google Cloud)

3.2 Exploitation status and PoC availability

The activity is documented as active and widespread by government and vendor sources, including a dedicated FBI FLASH advisory with IOCs and mitigations.
Multiple public advisories and reporting describe a campaign mechanism (social engineering + OAuth/token abuse) rather than a patchable CVE; therefore, “PoC” framing is less applicable than process abuse and control gaps (identity verification, connected-app governance, and monitoring). (Salesforce)

4. Impact Assessment

4.1 Severity and scope

Severity: High (business impact), variable technical severity.
While core production systems may remain unaffected in many cases, exposed Salesforce CRM datasets (customer contact details, case notes, loyalty IDs, support transcripts) can enable follow-on phishing, account takeover attempts, fraud, and extortion. (obsidiansecurity.com)
Supply-chain elements increase scope because a single compromised integration can create downstream exposure across many tenants; GTIG and the FBI explicitly describe broad impact potential tied to third-party OAuth tokens. (Google Cloud)

4.2 Victim profile

Public disclosures and credible reporting tie this activity to breaches involving:

Google (Salesforce environment targeted; GTIG published defensive guidance). (cybersecuritydive.com)
Cisco (third-party CRM vishing incident disclosure). (Cisco)
Farmers Insurance (breach disclosure widely reported; linked to the Salesforce social engineering wave). (Salesforce Ben)
Pandora and Chanel (reported as linked to Salesforce instance attacks). (Infosecurity Magazine)
Workday (public reporting ties breach to third-party CRM/Salesforce-connected platform access). (adminbyrequest.com)
TransUnion (extortion/data leak reporting references Salesforce-hosted datasets; additional reporting notes likely ShinyHunters involvement). (TechCrunch)

5. Indicators of Compromise (IOCs)

5.1 IOC table (selected; see FBI FLASH for full list)

The table below includes high-signal indicators explicitly published in the FBI FLASH advisory. Note: the FBI includes longer IP lists; defenders should ingest the complete set from the source for comprehensive coverage.

Type	Value	Context/Notes	Source
IP Address	23.162.8.66	UNC6040 IOC IP (partial list)	FBI FLASH (UNC6040/UNC6395)
IP Address	23.94.126.63	UNC6040 IOC IP (partial list)	FBI FLASH (UNC6040/UNC6395)
IP Address	51.89.240.10	UNC6040 IOC IP (partial list)	FBI FLASH (UNC6040/UNC6395)
IP Address	64.95.11.225	UNC6040 IOC IP (partial list)	FBI FLASH (UNC6040/UNC6395)
URL/Link (indicator)	login[.]salesforce[.]com/setup/connect?user_code=aKYF7V5N	Connected app authorisation lure pattern	FBI FLASH (UNC6040/UNC6395)
URL/Link (indicator)	login[.]salesforce[.]com/setup/connect?user_code=8KCQGTVU	Connected app authorisation lure pattern	FBI FLASH (UNC6040/UNC6395)
URL/Link (indicator)	http://64.95.11\[.\]112/hello.php	Referenced in FBI indicators	FBI FLASH (UNC6040/UNC6395)
URL/Link (indicator)	91.199.42.164/login	Referenced in FBI indicators	FBI FLASH (UNC6040/UNC6395)
IP Address	44.215.108.109	UNC6395 IOC IP (partial list)	FBI FLASH (UNC6040/UNC6395)
IP Address	179.43.159.198	UNC6395 IOC IP (partial list)	FBI FLASH (UNC6040/UNC6395)
User-Agent	Salesforce-Multi-Org-Fetcher/1.0	Suspicious UA noted by FBI	FBI FLASH (UNC6040/UNC6395)
User-Agent	Salesforce-CLI/1.0	Suspicious UA noted by FBI	FBI FLASH (UNC6040/UNC6395)
User-Agent	python-requests/2.32.4	Suspicious UA noted by FBI	FBI FLASH (UNC6040/UNC6395)
User-Agent	Python/3.11 aiohttp/3.12.15	Suspicious UA noted by FBI	FBI FLASH (UNC6040/UNC6395)

5.2 Detection guidance

Salesforce telemetry & audit focus

Alert on new Connected App authorisations and unusual OAuth consent flows (especially activity consistent with the “connect app / user_code” pattern).
Hunt for anomalous API export spikes and non-human automation signatures (e.g., the FBI-listed User-Agents).
Monitor logins and API activity from the FBI IOC IP ranges; consider risk-based blocking after validation (FBI explicitly recommends vetting before action).

Public guidance useful for rule engineering

6. Incident Response Guidance

6.1 Containment, eradication, and recovery

Immediately revoke and rotate: OAuth tokens, connected app secrets, integration credentials, and API keys tied to third-party apps (especially recently authorised or rarely used integrations).
Disable or suspend affected integrations (e.g., Drift/Gainsight) pending vendor confirmation and re-authentication, aligning with Salesforce/Salesloft incident response actions. (Google Cloud)
Implement strict login controls: IP allowlisting/login ranges and conditional access for Salesforce administrative actions. (Salesforce)
Re-verify helpdesk/call-centre identity checks (call-back procedures; anti-impersonation scripts) to reduce repeat vishing success.

6.2 Forensic artefacts to collect and preserve

Salesforce Setup Audit Trail, Event Monitoring, authentication logs, and API access logs covering the suspected window (including connected app approvals and token issuance). (FINRA)
Ticketing/call recordings and call-centre case logs where vishing is suspected (the FBI describes call-centre targeting patterns).

6.3 Lessons learned and preventive recommendations

Treat SaaS integrations as privileged access paths; maintain an always-current inventory of connected apps and enforce periodic re-authorisation. (Reuters)
Exercise incident playbooks specific to OAuth compromise and third-party token theft (distinct from typical endpoint-led IR). (Google Cloud)

7. Threat Intelligence Contextualisation

7.1 Comparison with similar incidents

The social engineering and helpdesk-centric approach strongly resembles Scattered Spider’s documented intrusion style (credential manipulation, MFA bypass, and identity-centric tradecraft), even when the monetisation phase presents under other extortion branding. (cisa.gov)
This campaign also reflects a broader shift toward attacking SaaS control planes and integrations (OAuth tokens, connected apps, “marketplace” ecosystems) instead of patchable software flaws. (Reuters)

7.2 Full MITRE ATT&CK mapping (observed lifecycle)

Tactic	Technique ID	Technique Name	Observed Behaviour
Initial Access	T1566.004	Spearphishing via Voice	Vishing call-centre staff; impersonation of IT/support to drive actions.
Credential Access	T1528	Steal Application Access Token	Capture/abuse OAuth tokens through connected app authorisation and third-party integrations.
Persistence / Access	T1078	Valid Accounts	Use of authorised tokens/credentials to access Salesforce APIs.
Initial Access (Alt)	T1199	Trusted Relationship	Compromised Salesloft Drift OAuth tokens used to access customer Salesforce instances. (Google Cloud)
Collection	T1213	Data from Information Repositories	Bulk export of CRM records (contacts, case info, notes). (obsidiansecurity.com)
Exfiltration	T1567	Exfiltration Over Web Service	Exfiltration via API-driven pulls and web-based tooling (automation UAs noted).

8. Mitigation Recommendations

8.1 Actionable hardening and configuration controls

Enforce phishing-resistant MFA and strengthen identity verification for helpdesk/call-centre workflows.
Restrict connected app authorisation (limit who can approve; require admin review; remove unused apps; implement approval workflows where available). (Salesforce)
IP-based access restrictions and monitoring for anomalous API usage patterns, consistent with FBI mitigation guidance.
Integrate SaaS security posture management and UEBA-style detection for abnormal OAuth/app behaviour (see GTIG/AppOmni guidance). (Google Cloud)

8.2 Patch management advice

There is no single “patch Tuesday” fix here because the campaign centres on process abuse and token governance, not a CVE. Organisations should prioritise:

Identity and call-centre anti-vishing controls,
Connected app governance/token rotation,
Continuous monitoring for suspicious OAuth authorisations and bulk API exports.

9. Historical Context & Related Vulnerabilities

While these incidents are not CVE-led, they align with repeated real-world failures around:

SaaS shared responsibility misunderstandings (secure platform ≠ secure tenant configuration). (Reuters)
Third-party app ecosystems creating “fourth-party” risk (e.g., Gainsight guidance for member firms explicitly calls out third-/fourth-party exposure). (FINRA)

10. Future Outlook

10.1 Emerging trends and likely evolution

Expect continued scaling of integration-led intrusions: threat actors will increasingly target SaaS marketplaces, connected apps, and customer-success tooling that holds durable tokens and broad data access. (Reuters)

10.2 Predicted shifts in targeting/tooling

More sophisticated pretexts aimed at outsourced support and BPO providers (where identity assurance is harder).
Higher use of automation (custom tooling and “multi-org” fetch behaviours) to accelerate bulk extraction across many tenants.

11. Further Reading

Government / official

Vendor and platform advisories

Victim disclosures / incident reporting