Google Threat Intelligence Group warned that an organization specializing in voice phishing (vishing) is targeting Salesforce users. The attackers, dubbed UNC6040, have repeatedly been successful in recent months in breaching networks through social engineering schemes. UNC6040’s operators contact companies by telephone, impersonate IT support personnel, and trick employees into granting the attackers access or sharing credentials that can be used to steal the organization’s Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce. Once they have compromised the Salesforce instance, the attackers steal data on a large scale and then try to extort the targeted company. In some instances, extortion activities haven’t been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data. GTIG suggested in its blog post that companies defend against social engineering threats by adhering to the principle of least privilege, managing access to connected applications rigorously, enforcing IP-based access restrictions, leveraging advanced security monitoring and policy enforcement with Salesforce Shield, and enforcing multifactor authentication universally.