Today's cybersecurity headlines are brought to you by ThreatPerspective

The OAuth Token Theft Campaign: Uncovers UNC6395's Cunning Scheme to Exploit Drift-Salesforce Integration

The OAuth Token Theft Campaign: Uncovers UNC6395's Cunning Scheme to Exploit Drift-Salesforce Integration

In a recent phishing campaign, threat actor UNC6395 targeted the Salesloft platform integrated with Drift AI chat. The attackers exploited OAuth tokens to steal sensitive information from Salesforce customer instances, compromising numerous corporate entities worldwide. This article delves into the details of the attack and provides insights on how organizations can protect themselves against similar threats.

Pierluigi Paganini, a renowned cybersecurity expert, recently uncovered a sophisticated phishing campaign by threat actor UNC6395 that targeted the Salesloft platform integrated with Drift AI chat. The malicious actors exploited OAuth tokens to steal sensitive information from Salesforce customer instances, compromising over 200 Swedish municipalities and numerous corporate entities worldwide.

According to Google Threat Intelligence Group (GTIG) researchers, the attack began as early as August 8, 2025, through compromised OAuth tokens associated with the Salesloft Drift third-party application. The attackers systematically exported large volumes of data from numerous Salesforce instances, including Cases, Accounts, Users, and Opportunities.

The threat actor, identified as UNC6395, deleted query jobs to evade detection and deleted critical information to cover their tracks. In response, GTIG recommends that organizations using Drift integrated with Salesforce treat their data as compromised and take immediate remediation steps, such as revoking API keys, rotating credentials, and performing further investigation.

Salesloft warned that hackers exploited OAuth credentials in the Drift app to steal sensitive information from their customers' Salesforce instances. The company revoked all Drift-Salesforce connections on August 20, 2025, stating that non-Salesforce users were unaffected. However, the full scale of the breach remains unclear.

TransUnion disclosed a data breach impacting over 4.4 million customers in August 2025, while another incident reported by NSA, NCSC, and allies detailed TTPs associated with Chinese APT actors targeting critical infrastructure organizations. Meanwhile, Citrix instances remain exposed to a critical RCE flaw CVE-2025-7775, leaving numerous organizations vulnerable to potential attacks.

Furthermore, ESET warned of PromptLock, the first AI-driven ransomware, and a data breach at Farmers Insurance impacted 1.1 million customers. These incidents demonstrate the ongoing threat landscape and the importance of cybersecurity awareness and best practices for protecting sensitive information.

In conclusion, UNC6395's phishing campaign highlights the need for organizations to prioritize their cybersecurity posture, especially when integrating third-party applications with critical infrastructure like Salesforce. By staying vigilant and taking proactive measures, businesses can reduce the risk of similar attacks in the future.