The rise in Salesforce data breaches has put global companies on edge. Google, which has itself faced intrusions, is now urging enterprises to step up defenses against the threat group UNC6040, a collective known for using phone-based social engineering to trick employees into handing over sensitive information.
A Growing Threat to Cloud Platforms
UNC6040 has gained notoriety for repeatedly breaking into Salesforce environments. According to Mandiant, a cybersecurity arm under Google, the group has not relied on technical flaws but on manipulating people through vishing, or voice phishing, calls. Attackers persuade employees to download an altered version of Salesforce’s Data Loader tool, which secretly funnels sensitive customer data to the intruders.
These breaches are often followed by extortion demands, sometimes surfacing months after the initial compromise. Messages are sent by actors claiming ties to the ShinyHunters cybercrime group, notorious for past thefts and leaks of corporate data.
The danger extends beyond Salesforce. Once inside, attackers have been able to harvest credentials and move laterally into other systems, including Okta identity management and Microsoft 365 accounts. This creates a ripple effect, where a single weak link opens the door to entire corporate networks.
How Attackers Exploit Employees
The tactics are as simple as they are effective. Mandiant investigators detailed that UNC6040 often targets English-speaking staff at multinational firms. Employees receive calls from impostors pretending to be IT support or vendor representatives. Under pressure, the victims are guided to install rogue apps or share login details.
In many cases, the scam hinges on trust. Attackers lean on information that seems credible, such as the employee’s team, supervisor name, or recent activity, all of which can be pieced together from publicly available sources. Once persuaded, the employee unknowingly hands over the keys to critical systems.
The success of these attacks highlights that the human factor, not software flaws, remains the most exploited entry point into enterprise systems.
Stronger Identity Verification Is Critical
Mandiant’s latest advisory emphasizes that verification must be multi-layered. Organizations should stop relying on identifiers that attackers can easily find, like birth dates or employee IDs. Instead, they should pivot to more secure practices:
Video verification: A live call where the employee must display a corporate badge or government-issued ID beside their face.
Cross-checking internal photos: Comparing the person’s face with the image in the corporate directory.
Calendar validation: Confirming the caller is not marked absent or on leave when making a request.
For high-risk actions, such as resetting multifactor authentication (MFA), help desks should use out-of-band checks. This means calling the registered number on file or reaching out to the employee’s manager before approving the request. These extra steps help ensure that attackers cannot succeed by voice alone.
Defending Against Vendor Impersonation
UNC6040 has also impersonated third-party vendors, a tactic that makes employees more likely to comply since the request seems business-related. Mandiant advises that staff must never grant access immediately in such cases. Instead, they should:
End the call without sharing details.
Reach out directly to the official account manager tied to that vendor.
Demand a support ticket be logged through the official portal with a valid confirmation number.
This structured process makes it harder for fraudsters to pressure employees into hasty decisions.
| Common Attack Scenario | Defensive Step |
|---|---|
| Fake vendor requests system access | Hang up, confirm with account manager |
| Caller asks for MFA reset | Use video ID proofing and OOB checks |
| Employee asked to download Salesforce tool | Validate source and confirm digitally signed software |
Security Awareness and Culture
Mandiant stressed that technology alone cannot solve the problem. Companies need a strong reporting culture where employees are encouraged to flag suspicious calls, emails, or app requests without fear of blame. These reports must feed into a centralized system, enabling security teams to detect and stop campaigns before they spread.
Cybercriminal groups like ShinyHunters and Scattered Spider thrive on human missteps. Regular training sessions, clear escalation procedures, and visible leadership support can significantly reduce the success rate of these social engineering attacks.
Hardening Cloud Defenses
Beyond verification, Mandiant listed several practical measures for organizations to adopt:
Use single sign-on (SSO) providers to reduce password fatigue.
Deploy phishing-resistant MFA with hardware keys such as FIDO2.
Apply dynamic authentication policies that adapt to risk, such as requiring extra steps when logins come from new locations.
Continuously monitor for suspicious behavior, including unusual data downloads or failed login attempts.
These steps, while technical, ultimately aim to contain damage if a social engineering attack slips past initial defenses.
The Stakes for Enterprises
The warning from Google underscores how the modern cyber battlefield has shifted. Even global tech firms with advanced defenses have fallen victim to UNC6040’s schemes. This demonstrates that the weakest link is often not the code or infrastructure but the individual on the other end of a phone call.
For companies, the cost of inaction could be steep: stolen customer data, regulatory fines, reputational harm, and prolonged extortion threats. By investing in layered identity checks and fostering a vigilant culture, enterprises can make it far harder for groups like UNC6040 to succeed.
The call to action is clear: treat every unexpected request for access as suspicious until proven otherwise.
In a world where criminals no longer need to break the system but only break trust, the human firewall is just as critical as the technical one. What are your thoughts on these evolving tactics? Do you think your workplace is prepared to handle such social engineering risks? Share this article with your colleagues and spark the conversation on building stronger defenses.
