The FBI has issued a FLASH advisory detailing activity from the threat groups UNC6040 and UNC6395, who are actively conducting data theft and extortion campaigns against organizations using Salesforce.
According to the advisory, these actors are leveraging stolen credentials, OAuth tokens, and malicious connected applications to gain persistent access and extract sensitive data at scale.
Threat activity linked to these groups has been observed in the wild, including connections to infrastructure identified in the FBI’s advisory. While such traffic may not always confirm compromise, it highlights the ongoing risk to organizations relying on Salesforce and the importance of carefully reviewing their environments for possible exposure.
Indicators of Compromise (IOCs)
The FBI report contains a comprehensive list of IP addresses and domains linked to UNC6040/UNC6395 operations. Customers are strongly encouraged to:
- Monitor their environments for connections to the listed IOCs.
- Audit Salesforce API logs and connected applications for unusual or unauthorized activity.
- Rotate credentials, review OAuth tokens, and enforce multi-factor authentication (MFA).
The full advisory, including the complete IOC set, is available here: https://www.ic3.gov/CSA/2025/250912.pdf
Recommended Actions
Organizations using Salesforce should implement the mitigations outlined by the FBI and remain vigilant for any suspicious Salesforce or network activity. Monitoring outbound traffic to suspicious infrastructure is especially critical, as recent observations have shown both probing attempts and established TLS connections to IOC IP addresses.
If you need assistance in implementing preventative measures or assessing the risk to your organization, reach out to OP Innovate for a free consultation.
Stay Safe. Stay Secure.
The OP Innovate Research Team
