As cybercriminals increasingly abandon traditional email-based phishing for more advanced voice-based social engineering, a coordinated campaign targeting Salesforce users has emerged as one of the most significant data extortion threats of 2025.
The cybercrime group UNC6040 has arranged these voice phishing attacks, targeting at least 20 major organizations across the United States and Europe since early 2025. Attackers impersonate IT support personnel over the phone, exploiting knowledge gaps in cybersecurity practices to bypass technical safeguards entirely. Similar to browser hijackers, these attackers often manipulate system settings to maintain persistent access.
UNC6040 exploits human vulnerabilities through sophisticated voice phishing, bypassing technical security measures by impersonating trusted IT personnel across multiple continents.
These initial interactions feature highly personalized approaches, often referencing real internal processes or known personnel to establish credibility and gain victims’ trust. The attackers expressly request Salesforce login credentials, multifactor authentication codes, and access permissions from targeted users.
Once obtained, these credentials provide direct access to Salesforce instances containing vast repositories of corporate data. Victims are frequently prompted to install or authorize malicious versions of Salesforce Data Loader, which facilitates systematic data exfiltration without detection.
After gaining initial access, UNC6040 demonstrates sophisticated operational capabilities through lateral movement to additional platforms, including Okta and Microsoft 365. The stolen data typically encompasses customer records, internal communications, and sensitive corporate information.
Attackers maintain stealthy access for months before shifting to the extortion phase, allowing thorough data harvesting across multiple organizational systems. The extortion methodology involves issuing demands weeks or months after the initial theft, threatening public disclosure or resale of sensitive data if financial demands remain unmet.
This approach utilizes the business-critical nature of Salesforce data to maximize pressure on victim organizations, with potential impacts extending to downstream partners and clients. Evidence suggests collaboration between initial access brokers and separate extortion groups, indicating a mature criminal ecosystem.
Remarkably, these campaigns focus exclusively on data theft and extortion rather than ransomware deployment, representing a strategic shift in cybercriminal operations targeting cloud service platforms. Voice phishing continues demonstrating effectiveness as an initial access vector, with attackers increasingly targeting IT support and administrative personnel for credential harvesting.
Salesforce maintains that no platform vulnerabilities exist, emphasizing that these attacks exploit human error and social engineering rather than technical weaknesses. Intelligence analysts have linked UNC6040 to the notorious Scattered Spider group, which previously executed the high-profile MGM Resorts cyberattack in 2023. This shift from email-based tactics to direct voice contact represents an evolution in attack methodology designed to increase success rates and circumvent traditional email security filters.
