A large-scale supply-chain campaign has unfolded, where attackers abused OAuth tokens from Salesloft’s Drift application to infiltrate Salesforce environments. Among the confirmed victims are leading security vendors such as Cloudflare, Zscaler, and Palo Alto Networks, where attackers accessed support case data.
While no vendor infrastructure or products were compromised, the risk lies in sensitive information stored within Salesforce cases, including API keys, credentials, and configuration details.
Cloudflare confirmed rotating more than 100 exposed tokens, and Zscaler disclosed exposure of contact data and limited case metadata. Salesforce and Salesloft have since revoked the malicious Drift tokens and removed the app from AppExchange.
Incident Details
- Actor: Tracked as UNC6395 / “GRUB1”
- Timeframe: August 8-18, 2025 (active exploitation window)
- Technique: Abuse of OAuth tokens from Drift to run Salesforce Bulk API jobs, extracting support case records.
- Data accessed: Salesforce support cases (contacts, subject/body text). In some cases, attackers actively searched exports for AWS keys, passwords, and Snowflake tokens.
Google reported a subset of Workspace accounts linked to Drift Email were also accessed via compromised OAuth tokens.
Impact and Risk
For customers of Cloudflare, Zscaler, Palo Alto Networks, and other affected vendors, the primary concern is the potential compromise of sensitive data contained in Salesforce support tickets.
Information such as API tokens, passwords, or SSH keys that may have been shared through support cases should be considered exposed. Beyond direct credential leakage, there is also a heightened risk of phishing and social engineering.
With access to real case details, attackers could craft highly convincing lures designed to impersonate vendors or reference legitimate ticket history, making them far more difficult for users to detect.
Salesforce/Salesforce Drift Integration Risks
Organizations that integrated Salesforce with Salesloft Drift face a different set of risks.
The attackers are believed to have abused Drift tokens to export core Salesforce objects, including Cases, Accounts, Contacts, and Opportunities.
While Salesforce and Salesloft have revoked the malicious tokens and removed the Drift application, any secrets embedded within those exported records remain vulnerable.
Recommended Actions
For vendor customers
- Rotate credentials immediately if ever shared through support cases (API tokens, keys, passwords).
- Treat any follow-up emails or calls referencing support cases as potential phishing.
For Salesforce + Drift users
- Verify that the Drift connected app is disabled.
- Review Event Monitoring logs from Aug 8 onward for suspicious Bulk API jobs.
- Search exported data for sensitive strings (AKIA, password, secret, snowflakecomputing.com).
- Rotate any exposed credentials and Salesforce API keys.
For Drift Email + Google Workspace users
- Confirm token revocations.
- Audit Google Admin logs for anomalous Drift access starting Aug 9.
- Enforce OAuth app allow-listing.
Detection and Hunting
The user agent Python/3.11 aiohttp/3.12.15 was observed during the campaign.
Additionally, security teams should investigate for Bulk API queries initiated during Aug 8–18, and monitor for credential abuse attempts (especially AWS, Snowflake, and VPN/SSO endpoints).
Stay Protected With WASP
Our WASP customers benefit from continuous red-team validation of integrations like Salesforce and proactive detection of OAuth misuse, providing assurance against similar supply-chain attacks.
Create your free WASP account now:
Stay Safe. Stay Secure.
OP Innovate Research Team
