FBI Warns UNC6040, UNC6395 Target Salesforce Platforms
Why the FBI Flash Alert Matters for Salesforce platforms
The FBI’s flash alert about UNC6040 and UNC6395 is a wake-up call for every organization that depends on Salesforce platforms. The agency noted that both groups “have been observed targeting organizations’ Salesforce platforms via different initial access mechanisms.” With hundreds of thousands of businesses using these cloud systems to manage customer records, sales pipelines, and support cases, a single compromised console can expose financial data, personally identifiable information, and sensitive communications. The bulletin reframes the question from if a Salesforce platform will be targeted to when it will be targeted.
How UNC6040 and UNC6395 Operate
The FBI’s advisory describes two clusters with distinct initial access tactics but the same ultimate goals: access, exfiltration, and extortion. Reported patterns and industry observations show attackers frequently use:
– Credential theft through phishing or compromised single sign-on (SSO) integrations
– Abuse of stolen or poorly configured API keys and long-lived tokens
– Exploitation of third-party connectors and integrations that have excessive permissions
– Lateral movement using privileged accounts to expand reach once inside
Once attackers gain foothold, they rapidly aggregate high-value records, export them, and follow with extortion demands or sell the information on illicit markets. The IoCs the FBI published are essential for identifying confirmed intrusions and blocking ongoing activity, but they are only one piece of a comprehensive defense strategy that must also include prevention, continuous monitoring, and rapid incident response.
Cloud Shared Responsibility and Where Salesforce platforms Become Vulnerable
Salesforce and other cloud vendors operate under a shared-responsibility model: the vendor secures the platform infrastructure, while customers are responsible for their data, configuration, access controls, and integrations. That division sounds clear on paper but becomes porous in practice. Administrative credentials, long-lived API tokens, or misconfigured connectors can grant attackers the same privileges as legitimate administrators. When that happens, the attacker is in a trusted environment where traditional perimeter defenses are ineffective.
This dynamic highlights a critical point: organizations cannot assume cloud provider protections absolve them of rigorous identity hygiene, least-privilege access, and continuous monitoring. Protecting Salesforce platforms requires focusing on identity and access as the primary battleground.
Practical Mitigations to Protect Salesforce platforms
The FBI and industry experts recommend a layered approach. Key practical steps include:
– Enforce strong multi-factor authentication (MFA) for all administrative, developer, and API access
– Apply least-privilege principles to users, API tokens, and third-party integrations
– Rotate and monitor API keys and tokens; promptly delete unused tokens and deprecated credentials
– Audit connected applications and third-party connectors for permission creep and revoke excessive rights
– Centralize logging and ingest telemetry into a SIEM or XDR system for faster detection and response
– Create alerts for anomalous exports, mass data access, or unusual administrator activity
– Enable vendor-recommended security features and apply Salesforce hardening guides
– Maintain an incident response plan that includes forensic capture of IoCs and pre-defined containment workflows
IoCs are valuable for detecting specific adversary behavior, but they do not replace preventive controls. Treat them as complementary — useful for hunting and validation, but not as a standalone defense.
Policy, Product Design, and the Path Forward
The FBI advisory also carries implications beyond immediate security operations. For policymakers, it underscores the limitations of perimeter-focused regulation and the need for standards around cloud configuration, identity management, and breach notification timelines. For product and engineering teams, it reinforces the business case for secure-by-default designs, simpler access control administration, and better telemetry so customers can detect misuse quickly.
Reducing risk will likely require two synchronized approaches: regulatory baseline requirements for configuration and disclosure, and market-driven improvements such as stronger identity platforms, zero-trust architectures, and more intuitive security defaults. Attackers exploit friction and ambiguity; reducing those advantages will shrink attacker dwell time and the window for extortion.
What Organizations Using Salesforce platforms Should Do Now
For organizations that rely on Salesforce platforms, the immediate checklist is clear and actionable:
– Cross-reference the FBI’s IoCs against your logs and telemetry to hunt for compromise indicators
– Confirm MFA is enforced for all administrative, developer, and API access paths
– Audit third-party integrations and remove or reduce excessive permissions
– Review and rotate API tokens and credentials on a regular schedule, and disable unused accounts
– Increase monitoring for unusual exports, mass record access, or anomalous admin actions
– Rehearse incident response procedures, including containment, forensic collection, and notification
Treat administrative accounts, long-lived tokens, and critical integrations as crown jewels. Assume any exposed credential can be weaponized and prioritize controls that limit what an attacker can reach even after initial compromise.
Conclusion: Prepare for the Next Flash Alert on Salesforce platforms
The FBI’s flash alert on UNC6040 and UNC6395 is a stark reminder that attackers are prioritizing high-value cloud consoles and CRMs. As Salesforce platforms consolidate business-critical data, defenders must move beyond a perimeter mindset and emphasize identity, least privilege, and rapid detection. The question is no longer whether a platform will be targeted — it’s how quickly your organization can detect, contain, and recover when it is. Act now to harden access, audit integrations, and improve monitoring so the next alert finds your organization prepared rather than exposed.




