Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations

Oct. 1, 2025, 4:11 p.m.

Description

This analysis focuses on UNC6040, a financially motivated threat group specializing in voice phishing campaigns targeting Salesforce instances. The group employs social engineering tactics to trick employees into granting access or sharing credentials, facilitating large-scale data theft and extortion. Key tactics include manipulating victims to authorize malicious connected apps, often modified versions of Salesforce's Data Loader. The report provides detailed recommendations for proactive hardening, identity verification, and detection strategies to protect against UNC6040's methods. It emphasizes the importance of multi-layered security measures, including strict identity validation, device trust enforcement, and granular data access policies within Salesforce environments.

External References

https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-hardening-recommendations
https://otx.alienvault.com/pulse/68dd1afb1b0d42961ea3539c
Tags
social engineering
voice phishing
data exfiltration
multi-factor authentication
detection
salesforce
2025-10-01
access control
logging
identity verification
data loader
connected apps

Date

  • Created: Oct. 1, 2025, 12:13 p.m.
  • Published: Oct. 1, 2025, 12:13 p.m.
  • Modified: Oct. 1, 2025, 4:11 p.m.

Indicators

  • login.principal.user.email
  • http.principal.user.email
Download all indicators here!

Attack Patterns

  • Data Loader
  • UNC6040

Additional Informations

  • Finance
  • oauth.security

Linked vulnerabilities

CVE-2025-53690

None
Published: