Google Uncovers Vishing Campaign Targeting Salesforce for Data Theft and Extortion
Google has revealed new information about a financially driven threat group known as UNC6040, which specializes in voice phishing (vishing) campaigns. These attacks aim to infiltrate organizations’ Salesforce environments to steal large volumes of data and later carry out extortion.
The company’s threat intelligence team believes UNC6040 shows traits similar to cybercriminal groups linked to a collective called The Com.
In recent months, UNC6040 has repeatedly succeeded in breaching corporate networks by posing as IT support staff during highly convincing phone-based social engineering attacks. According to Google’s Threat Intelligence Group (GTIG), this method has helped the attackers deceive English-speaking employees into handing over credentials or performing actions that grant unauthorized access to internal systems.
A key tactic involves a manipulated version of Salesforce's Data Loader tool. During the attack, the victim is guided to Salesforce’s connected app setup page and tricked into approving a fake application, often branded with a misleading name such as “My Ticket Portal.” Data Loader is normally used for bulk data import, export, and updates within Salesforce. When the altered app is approved, it provides the attackers access to the company’s Salesforce data, which they can then exfiltrate.
Beyond breaching Salesforce, the group has been observed expanding its reach into other services, including Okta, Microsoft 365, and Workplace. These lateral movements allow them to collect additional sensitive data across the victim’s digital environment. In some cases, extortion efforts followed the breaches, but only after several months had passed. This suggests that the stolen data may be monetized or sold with help from a second threat actor.
During these extortion attempts, the group has reportedly claimed ties to the well-known hacking collective ShinyHunters, possibly as a way to increase pressure on the victims.
Google noted that UNC6040’s behavior resembles that of groups associated with The Com, particularly due to their focus on Okta credentials and reliance on social engineering through IT impersonation. These are techniques also used by Scattered Spider, a financially motivated actor within the same broader network.
Salesforce became aware of the campaign earlier in 2025. In March, the company issued a warning about attackers impersonating IT support by phone. These actors have been known to trick employees into entering credentials into phishing websites or navigating to the login.salesforce[.]com/setup/connect page to approve a malicious connected app.
Salesforce reported that in some cases, this malicious app is a rebranded version of the legitimate Data Loader, published under a different name. Once approved, the app is used to pull data from customer accounts without permission.
The campaign underlines the growing sophistication of social engineering attacks. It also shows that IT support roles are becoming a primary target for attackers looking to gain a foothold in enterprise environments.
Google concluded that the effectiveness of UNC6040’s vishing tactics proves how powerful these methods can be for financially motivated cybercriminals. With the delay between breach and extortion, more victim organizations may face pressure or ransom demands in the coming weeks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
