Salesforce Trust Exploited by Cyberattackers
▼ Summary
– Salesforce has seen a twenty-fold increase in malicious activity in early 2025, making it a major target for attackers.
– Attackers primarily use Word documents and QR codes in phishing campaigns, exploiting Salesforce’s collaborative nature and user trust.
– Identity compromise through OAuth token misuse is a stealthy threat, as attackers bypass passwords and MFA by tricking users into approving malicious apps.
– Most attacks are concentrated in English-speaking regions like Europe and North America due to the availability of prebuilt phishing kits in English.
– High-profile breaches at companies like Google and Allianz Life highlight the impact, often stemming from credential theft and social engineering rather than platform vulnerabilities.
Recent research reveals that Salesforce environments have experienced a dramatic twenty-fold surge in malicious activity during the first quarter of 2025. This sharp rise underscores how cybercriminals are increasingly leveraging trusted business platforms to launch sophisticated attacks. As organizations rely more heavily on cloud-based CRM systems, threat actors are adapting their methods to exploit both technological features and human behavior.
Attackers are weaponizing everyday files to infiltrate corporate networks. Malicious Word documents made up over two-thirds of all detected threats, often containing disguised links to phishing sites or malware. Image files, particularly those embedding QR codes, accounted for more than a quarter of incidents. This method, known as “quishing,” has gained traction in hybrid work environments where employees frequently use mobile devices to scan codes, often bypassing corporate security controls.
The effectiveness of these attacks stems from the inherent trust users place in the Salesforce platform. Files masquerading as invoices, support tickets, or verification requests appear routine, lowering users’ guard. QR codes embedded in seemingly legitimate communications are scanned without suspicion, leading unsuspecting victims to fraudulent sites.
Phishing domains often impersonate well-known brands, using newly registered or lookalike domains, URL shorteners, and even abused legitimate services like Bing redirects. These techniques help malicious traffic blend seamlessly with normal business operations, making detection more challenging.
Beyond conventional phishing, identity abuse represents a more insidious threat. Attackers increasingly use OAuth tokens obtained through standard authorization workflows, such as the OAuth Device Flow. By tricking users into approving malicious connected apps, like a manipulated version of Salesforce Data Loader, adversaries gain access without needing to crack passwords or bypass multi-factor authentication.
Once inside, attackers often mimic typical user behavior, operating during business hours and accessing familiar data objects to avoid raising alarms. Some threat actors test their access with small data exfiltrations before attempting larger-scale theft, further obscuring their activities.
Geographically, Europe and North America together accounted for over 80% of affected organizations, with the United Kingdom representing the most targeted region in Europe. The prevalence of English-language phishing kits, which require minimal customization and are readily available, makes these regions attractive targets. Attackers benefit from the broad reach and low effort required to deploy convincing English-language lures, maximizing impact with fewer resources.
Several high-profile breaches in 2025 illustrate the scale of the risk. Google reported a compromised Salesforce instance exposing over two million prospective customer records. Allianz Life notified 1.4 million customers of a CRM-related incident, while Coca-Cola Europacific Partners disclosed the exfiltration of more than 23 million records. Luxury brands, retailers, and airlines have also faced significant CRM breaches.
Notably, these incidents rarely stem from vulnerabilities within Salesforce itself. Instead, they result from stolen credentials, social engineering, and the misuse of trusted applications. This trend highlights identity compromise as one of the most critical risks in modern SaaS environments, emphasizing the need for robust identity governance and user awareness training.
(Source: HelpNet Security)
