Hackers posing as IT support are targeting employees at large companies to sneak into their Salesforce systems and steal data. They start with a phone call, pretending to help with a routine issue. The real goal? To get the employee to connect to a fake version of Salesforce’s Data Loader tool. Once that happens, the attackers can quietly grab sensitive company data.
Google’s Threat Intelligence Group has been tracking the group behind this, known as UNC6040. Their method depends on trust—posing as helpful support staff and guiding employees through what feels like a normal setup process. Because the tool is something many employees already use, it doesn’t seem suspicious.
After getting into Salesforce, the attackers don’t stop there. They jump into other connected platforms like Okta, Microsoft 365, and Workplace, pulling documents, credentials, and messages as they go. Some companies have managed to cut off access midstream, but the attackers have started experimenting with different ways to sneak data out without getting flagged.
To make the scam more convincing, they give their fake tool names like “My Ticket Portal” and ask employees to install it during the call. They also hide their tracks by routing the stolen data through VPN services like Mullvad. And Salesforce isn’t their only target—Google says they’re also setting up fake login pages for other popular services, tying them to a broader web of cybercriminal activity.
The scammers don’t always demand a ransom right away. In fact, some companies don’t hear from them until months later. When they do, the attackers often claim to be part of the infamous ShinyHunters group—likely as a way to scare victims into paying up. Google suspects UNC6040 may be working with another crew that handles the extortion side of things.
For companies using Salesforce, it’s a good time to review security settings. Limit who can install apps, tighten up API permissions, and consider blocking known VPN services. These steps won’t solve everything, but they can make the attacker’s job a lot harder.
