UNC6040: The Voice Phishing Attack Aiming for Your Salesforce Information

A particularly dangerous campaign has emerged, highlighting the effectiveness of traditional social engineering methods when paired with contemporary technology.

Google’s Threat Intelligence Group has identified a financially motivated threat actor known as UNC6040 that has been conducting sophisticated voice phishing (vishing) attacks specifically targeting organizations using Salesforce. This campaign represents a concerning trend where cybercriminals are bypassing technical security controls entirely by manipulating the human element within organizations.

 Understanding the UNC6040 Threat

UNC6040 is a financially motivated cybercriminal group that has specialized in voice phishing attacks designed to compromise Salesforce instances for large-scale data theft and subsequent extortion. What makes this group particularly dangerous is their sophisticated approach to social engineering – they don’t rely on exploiting technical vulnerabilities in Salesforce itself. Instead, they focus on the weakest link in any security chain: people.

The threat actors have demonstrated remarkable success over the past several months by impersonating IT support personnel in convincing telephone conversations. Their English proficiency and understanding of corporate IT environments make their deception particularly effective, especially when targeting employees at multinational corporations.

 Severity Assessment: High Risk to Critical

This threat should be classified as high to critical risk for any organization using Salesforce, particularly those with:

• Sensitive customer data stored in Salesforce
• Financial information accessible through CRM systems
• Employees who regularly interact with IT support
• Limited security awareness training programs
• Insufficient access controls on data export tools

The severity stems not just from the initial data breach, but from the campaign’s potential for long-term impact. UNC6040 has been observed waiting months between initial compromise and extortion attempts, meaning organizations may be unknowingly compromised for extended periods.

 How the Attack Works

The UNC6040 attack methodology is both simple and devastatingly effective. Here’s how these cybercriminals operate:

Phase 1: Initial Contact The attack begins with a phone call. UNC6040 operators contact employees at target organizations, impersonating legitimate IT support personnel. They use convincing social engineering techniques, often referencing internal processes or current IT issues to establish credibility.

Phase 2: Malicious App Authorization During the vishing call, the threat actors guide victims to Salesforce’s connected app setup page. They convince the employee to authorize what appears to be a legitimate version of Salesforce’s Data Loader application. However, this is actually a modified, unauthorized version created by the attackers with different names or branding – such as “My Ticket Portal” – to avoid suspicion.

Phase 3: Data Exfiltration Once the malicious app is authorized, UNC6040 gains significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce environment. The attackers can export large volumes of data using the legitimate Data Loader functionality, making their activities appear routine to monitoring systems.

Phase 4: Lateral Movement The threat doesn’t stop with Salesforce. UNC6040 has been observed moving laterally through victim networks, accessing other platforms such as Okta, Microsoft 365, and Workplace. This expanded access allows them to gather additional sensitive information including communications, authorization tokens, and confidential documents.

Phase 5: Delayed Extortion Perhaps most concerning is the delayed nature of the extortion attempts. UNC6040 often waits several months after the initial compromise before making extortion demands. During these attempts, they have claimed affiliation with the notorious ShinyHunters hacking group to increase pressure on victims.

(UNC6040 Attack Pathway – Source: Mandiant)

 Who’s Behind the Attacks

While Google tracks this activity under the designation UNC6040, the group exhibits characteristics that align with threat actors connected to “The Com” – a loosely organized collective of cybercriminals. The group’s tactics, techniques, and procedures overlap with other known threat actors, including:

• Social engineering via fake IT support calls
• Targeting of Okta credentials
• Focus on English-speaking employees at multinational companies
• Use of commercial VPNs (particularly Mullvad) to mask their activities

The infrastructure used by UNC6040 to access Salesforce applications has also been observed hosting Okta phishing panels, suggesting a broader toolkit designed to compromise multiple cloud services.

 Organizations at Risk

UNC6040’s campaign is opportunistic rather than highly targeted, meaning any organization using Salesforce could potentially be at risk. However, certain factors increase vulnerability:

High-Risk Organizations:

• Companies in education, hospitality, and retail sectors (observed targets)
• Multinational corporations with English-speaking branches
• Organizations with widespread Salesforce deployments
• Companies with limited security awareness training
• Businesses that haven’t implemented strict access controls for data export tools

Geographic Focus: The campaign has primarily targeted organizations in the Americas and Europe, with approximately 20 organizations confirmed as affected by the campaign.

 Remediation and Protection Strategies

Protecting against UNC6040 and similar vishing campaigns requires a multi-layered approach combining technical controls, policy enforcement, and user education:

Immediate Actions:

• Audit all connected applications in your Salesforce environment
• Review Data Loader access permissions and remove unnecessary assignments
• Implement IP-based access restrictions to limit logins from unexpected locations
• Enable comprehensive logging and monitoring for data export activities
• Conduct emergency security awareness training focused on vishing threats

Technical Controls:

• Enforce the principle of least privilege for all Salesforce users
• Restrict the “API Enabled” permission to essential personnel only
• Implement Transaction Security Policies to monitor large data downloads
• Configure Event Monitoring to track user behavior and data access patterns
• Require approval processes for installing new connected applications

User Education:

• Train employees to verify IT support requests through independent channels
• Educate staff about social engineering tactics and red flags
• Establish clear procedures for authorizing new applications or tools
• Implement a verification process for any requests involving data access tools

 How CinchOps Can Help Secure Your Business

CinchOps understands that protecting your organization from sophisticated threats like UNC6040 requires more than just technology – it demands expertise, vigilance, and a comprehensive security strategy tailored to your specific business needs.

We recognize that every phone call to your organization represents a potential attack vector, and we’re here to help you turn that vulnerability into a strength through proper training, policies, and technical controls.

CinchOps Security Services:

• Comprehensive Salesforce security assessments and hardening
• Implementation of advanced monitoring and alerting systems
• Security awareness training programs specifically designed for modern threats
• Multi-factor authentication deployment and optimization
• Access control policy development and enforcement
• Incident response planning and execution
• Regular security audits and compliance assessments
• 24/7 security monitoring and threat detection
• Network segmentation and access restriction implementation
• Cloud security architecture design and implementation

CinchOps doesn’t just implement security measures – we become your trusted security partner, providing ongoing support and guidance as threats evolve. Our proactive approach means we’re not just responding to incidents; we’re preventing them from happening in the first place. With our deep understanding of both technology and human psychology, we can help you create a security culture that’s resistant to even the most sophisticated social engineering attempts.

When you choose CinchOps, you’re not just getting a managed IT provider – you’re gaining a security-first partner committed to protecting your business, your data, and your reputation in an increasingly dangerous digital world.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: What if an Employee Falls for a Phishing Email?
For Additional Information on this topic: The Cost of a Call: From Voice Phishing to Data Extortion

FREE CYBERSECURITY ASSESSMENT