Over the past few months, a threat group identified as UNC6040 has been executing a sophisticated voice phishing (vishing) campaign targeting Salesforce environments, according to Google’s Threat Intelligence Group.

The attackers impersonate IT support personnel to manipulate employees at multinational companies into connecting a malicious app to their organization’s Salesforce portal or surrendering their login credentials and MFA codes. The malicious app, a modified version of Salesforce’s legitimate Data Loader, enables the attackers to access and exfiltrate sensitive customer and business data, which is later used for extortion.

Following the initial breach, UNC6040 has also been observed moving laterally through victim networks to access other systems such as Okta, Workplace, and Microsoft 365. The exfiltration of data is not always immediately followed by extortion attempts, suggesting that a secondary actor may be monetizing access to the stolen information at a later stage. This delay increases the potential impact, with victim organizations and their partners possibly facing extortion threats weeks or even months after the original compromise.

UNC6040’s tactics align with broader vishing trends, including impersonating IT personnel and targeting identity platforms. Analysts note that the group’s infrastructure and techniques resemble those of "The Com," a loosely organized cybercriminal collective. Importantly, the breaches have relied entirely on social engineering rather than technical vulnerabilities within Salesforce. In response, Salesforce has issued warnings and defensive recommendations to customers, while Mandiant has published broader guidance to help organizations protect against similar vishing threats.