Google’s Threat Intelligence Group (GTIG) has uncovered a new cyberattack campaign targeting large companies that use Salesforce.

The attackers, tracked under the name UNC6040, use social engineering tactics to trick employees into giving up access to sensitive company data. In many cases, the hackers claim to be part of the well-known ShinyHunters extortion group.

The attackers contact employees by phone, pretending to be members of the company’s IT support team. During the call, they instruct the victim to install what appears to be a legitimate tool—Salesforce’s Data Loader application. However, the version provided by the attackers has been modified. Victims are then asked to open Salesforce and enter a “connection code,” which secretly links the hacker-controlled application to the company’s Salesforce environment.


Once access is granted, the attackers begin exporting data directly from Salesforce. From there, they often move laterally to other connected platforms, such as Okta, Microsoft 365, and Workplace. This allows them to steal additional sensitive information, including login credentials, internal communications, and private documents.

In some cases, the hackers rename the application to something that fits the social engineering context, such as “My Ticket Portal,” to make it seem more legitimate. The attackers also use VPN services like Mullvad to hide their activity while they extract data from the victim’s systems. Google reports that phishing pages mimicking Okta login screens have also been used as part of this campaign.

READ
Over 3.6 Million User Records Exposed in Passion.io Data Leak

The stolen data is not always used right away. In some cases, companies are contacted weeks or even months later and threatened with data leaks unless they pay a ransom. The extortion messages often reference ShinyHunters, a group linked to several high-profile data breaches, possibly to increase pressure on the victims.

To defend against these attacks, Google advises companies to restrict API-enabled permissions in Salesforce, limit who can install applications, and block access from commercial VPNs like Mullvad. Organizations should also train employees to recognize and report suspicious IT support requests, especially those that ask for unexpected software installations or connection codes.

This campaign is a reminder that even legitimate business tools can be weaponized when combined with convincing social engineering tactics. Regular employee awareness training and stricter security controls are essential in preventing unauthorized access to cloud platforms.