Salesforce customers duped by series of social-engineering attacks | CyberScoop<\/title> <meta name=\"description\" content=\"Google Threat Intelligence Group said about 20 organizations have been hit by a cybercrime group it tracks as UNC6040.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/google-unc6040-salesforce-attacks\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Salesforce customers duped by series of social-engineering attacks\"> <meta property=\"og:description\" content=\"Google Threat Intelligence Group said about 20 organizations have been hit by a cybercrime group it tracks as UNC6040.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/google-unc6040-salesforce-attacks\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-06-04T18:40:57+00:00\"> <meta property=\"article:modified_time\" content=\"2025-06-04T18:40:59+00:00\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1746040294g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1748637685g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1748220166g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/84758\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=84758\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fgoogle-unc6040-salesforce-attacks%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fgoogle-unc6040-salesforce-attacks%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-84758 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/google-unc6040-salesforce-attacks\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.9180327868852\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.409465020576\">\n<div class=\"single-article__header-content\" readability=\"34.090185676393\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/google-unc6040-salesforce-attacks\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Google Threat Intelligence Group said about 20 organizations have been hit by a cybercrime group it tracks as UNC6040. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/84758\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Salesforce headquarters in San Francisco.\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg 3744w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-4.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Exterior view of Salesforce’s headquarters in San Francisco on Feb. 28, 2024. (Justin Sullivan\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"37.176161149602\"><body readability=\"76.341686320755\"><\/p>\n<p>A financially motivated threat group posing as IT support has intruded the systems of about 20 organizations by duping employees into installing a malicious, illegitimate version of Salesforce\u2019s Data Loader and granting broader access to cloud-based environments, Google Threat Intelligence Group said in a <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/voice-phishing-data-extortion\">threat report<\/a> released Wednesday.<\/p>\n<p>The attacks, which Google attributes to UNC6040, have hit organizations in hospitality, retail and education across the Americas and Europe, resulting in data theft and extortion. <\/p>\n<p>\u201cOur current assessment indicates that a limited number of organizations were affected as part of this campaign, approximately 20,\u201d Austin Larsen, principal threat analyst at Google Threat Intelligence Group, told CyberScoop in an email. \u201cWe are tracking at least several extortion attempts, but we cannot comment on how many were successful.\u201d<\/p>\n<p>Organizations\u2019 adoption of widespread integrations and privileged access to multiple cloud-based services in corporate environments \u2014 paired with support for single sign-on services such as Okta and authentication protocols like OAuth \u2014 amplifies the risk posed by identity-based attacks. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Attackers have gained access to victim networks by calling targeted employees on the phone and convincing them to install and approve the malicious Salesforce application, exposing sensitive credentials and multi-factor authentication codes, according to Google.<\/p>\n<p>UNC6040 used this access to steal data from the victim organization\u2019s Salesforce environment, and then initiate lateral movement to steal data from other connected platforms, including Okta, Microsoft 365 and Workplace, researchers said.<\/p>\n<p>\u201cSalesforce has enterprise-grade security built into every part of our platform, and there\u2019s no indication the issue described stems from any vulnerability inherent to our services,\u201d a spokesperson for Salesforce said in a statement. \u201cAttacks like voice phishing are targeted social-engineering scams designed to exploit gaps in individual users\u2019 cybersecurity awareness and best practices.\u201d<\/p>\n<p>Google said the threat group\u2019s social-engineering tactics and initial focus on English-speaking users at multinational companies shares similarities with activities linked to members of \u201c<a href=\"https:\/\/cyberscoop.com\/tag\/the-com\/\">The Com<\/a>,\u201d suggesting some potential overlap and association with the global collective of loosely affiliated cybercriminals. Yet, researchers noted UNC6040 is unique in focusing on exfiltrating data from Salesforce environments.<\/p>\n<p>Attackers set their phishing lures by calling targeted individuals, posing as IT administrators offering support for alleged general IT issues. UNC6040 claims the issue stems from a nonexistent open IT support ticket that the victim can\u2019t access due to system differences, according to Google.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The victim is then directed to visit a phishing site or a fake \u201cSalesforce Setup Connect\u201d page, which requires an eight-digit code, to close the ticket, researchers said.<\/p>\n<p>Upon entering and confirming the code on their mobile device or computer, victims unwittingly authenticate access to UNC6040 via OAuth and add the malicious application to their Salesforce instance.<\/p>\n<p>Salesforce, which maintains that security is a shared responsibility, warned customers of threats posed by social-engineering attacks in guidance it released in a <a href=\"https:\/\/www.salesforce.com\/blog\/protect-against-social-engineering\/\">blog post<\/a> earlier this year.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.5625\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<div class=\"popular-stories__stories\">\n<div class=\"popular-stories__cards\">\n<article class=\"post-item post-item--popular-stories-cards \" readability=\"22.465648854962\">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/china-espionage-group-ivanti-vulnerability-exploits\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"506\" height=\"337\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-2.jpg?resize=506%2C337&ssl=1\" class=\"attachment-ratio-16-9-md size-ratio-16-9-md wp-post-image\" alt=\"The Chinese national flag flies outside the Ministry of Foreign Affairs in Beijing on July 26, 2023. (Photo by GREG BAKER\/AFP via Getty Images)\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-5.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-5.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-5.jpg?resize=768,511 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-5.jpg?resize=1024,682 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-5.jpg?resize=1536,1022 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-5.jpg?resize=600,399 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-5.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-5.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-5.jpg?resize=1014,675 1014w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-5.jpg?resize=1266,843 1266w\" sizes=\"auto, (max-width: 506px) 100vw, 506px\"> <\/a><figcaption class=\"screen-reader-text\"> The Chinese national flag flies outside the Ministry of Foreign Affairs in Beijing on July 26, 2023. (Photo by GREG BAKER\/AFP via Getty Images) <\/figcaption><\/figure>\n<header class=\"post-item__meta\" readability=\"2.9397590361446\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/china-espionage-group-ivanti-vulnerability-exploits\/\"> China-backed espionage group hits Ivanti customers again <\/a> <\/h3>\n<p> UNC5221 has a knack for exploiting defects in Ivanti products. The group has exploited at least four vulnerabilities in the vendor\u2019s products since 2023, according to Mandiant. <\/p>\n<div class=\"post-item__byline\"> <span class=\"post-item__author\"> <span>By <\/span> <a class=\"post-item__author-link\" href=\"https:\/\/cyberscoop.com\/author\/matt-kapko\/\"> Matt Kapko <\/a> <\/span> <\/div>\n<p> <\/header>\n<p> <\/article>\n<article class=\"post-item post-item--popular-stories-cards \">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/russia-threat-groups-target-ukraine-signal\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"255\" height=\"168\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-3.jpg?resize=255%2C168&ssl=1\" class=\"attachment-ratio-16-9-sm size-ratio-16-9-sm wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-6.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-6.jpg?resize=300,198 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-6.jpg?resize=768,507 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-6.jpg?resize=1024,676 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-6.jpg?resize=1536,1014 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-6.jpg?resize=600,396 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-6.jpg?resize=255,168 255w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-6.jpg?resize=511,337 511w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-6.jpg?resize=1023,675 1023w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/06\/salesforce-customers-duped-by-series-of-social-engineering-attacks-6.jpg?resize=1277,843 1277w\" sizes=\"auto, (max-width: 255px) 100vw, 255px\"> <\/a><figcaption class=\"screen-reader-text\"> Russian soldiers stand on Red Square in central Moscow on September 29, 2022, as the square is sealed prior to a ceremony of the incorporation of the new territories into Russia. (Photo by ALEXANDER NEMENOV\/AFP via Getty Images) <\/figcaption><\/figure>\n<header class=\"post-item__meta\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/russia-threat-groups-target-ukraine-signal\/\"> Russia-aligned threat groups dupe Ukrainian targets via Signal <\/a> <\/h3>\n<div class=\"post-item__byline\"> <span class=\"post-item__author\"> <span>By <\/span> <a class=\"post-item__author-link\" href=\"https:\/\/cyberscoop.com\/author\/matt-kapko\/\"> Matt Kapko <\/a> <\/span> <\/div>\n<p> <\/header>\n<p> <\/article>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/google-unc6040-salesforce-attacks\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Salesforce customers duped by series of social-engineering attacks | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,323,387,3729,3358,4387,614,60,3099,2533,310,288],"tags":[286,86,327,391,3731,3360,4388,619,67,3104,2536,311,294],"class_list":["post-7708","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-extortion","category-google","category-google-threat-intelligence-group","category-microsoft-365","category-oauth","category-okta","category-phishing","category-salesforce","category-social-engineering","category-technology","category-threats","tag-cybercrime","tag-cybersecurity","tag-extortion","tag-google","tag-google-threat-intelligence-group","tag-microsoft-365","tag-oauth","tag-okta","tag-phishing","tag-salesforce","tag-social-engineering","tag-technology","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/extortion\/\" rel=\"category tag\">extortion<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google\/\" rel=\"category tag\">Google<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google-threat-intelligence-group\/\" rel=\"category tag\">Google Threat Intelligence Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft-365\/\" rel=\"category tag\">Microsoft 365<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/oauth\/\" rel=\"category tag\">OAuth<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/okta\/\" rel=\"category tag\">okta<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing\/\" rel=\"category tag\">phishing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/salesforce\/\" rel=\"category tag\">Salesforce<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/social-engineering\/\" rel=\"category tag\">Social engineering<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7708"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7708\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7708,"date":"2025-06-04T13:40:57","date_gmt":"2025-06-04T18:40:57","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=84758"},"modified":"2025-06-04T13:40:57","modified_gmt":"2025-06-04T18:40:57","slug":"salesforce-customers-duped-by-series-of-social-engineering-attacks","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/06\/04\/salesforce-customers-duped-by-series-of-social-engineering-attacks\/","title":{"rendered":"Salesforce customers duped by series of social-engineering attacks"},"content":{"rendered":"