What is the Attack?Threat actors tracked as UNC6395 exploited the Salesloft Drift integration, an AI chatbot tool linked to Salesforce and other platforms, to steal access tokens. These tokens allowed them to bypass normal authentication controls and gain access to target environments without directly breaching Salesforce accounts.The attackers then systematically exported sensitive credentials from dozens, and potentially hundreds, of Salesforce customer instances. Exfiltrated data included AWS access keys, Snowflake authentication tokens, VPN credentials, passwords, and API keys.With these tokens, UNC6395 was able to infiltrate not only Salesforce but also Google Workspace, Cloudflare, Zscaler, Palo Alto Networks, and other connected systems. This expanded the impact well beyond CRM data, exposing a wide range of enterprise environments.While initial reports suggested the breach was limited to Salesforce integrations, subsequent investigations confirmed that all Salesloft Drift integrations should be considered compromised.What is the recommended Mitigation?• Review the Salesloft Advisory and any other advisories from partners affected by the breach. Salesloft Advisory• Revoke and Reissue TokensImmediately disconnect and regenerate all tokens associated with Salesloft Drift and any connected integrations.• Audit and Monitor ActivityReview logs in Salesforce, Google Workspace, and other integrated platforms for signs of unusual data exports, hidden jobs, or suspicious API calls.• Tighten Integration PermissionsEnforce least privilege, restrict API scopes, and apply IP-based access controls to reduce exposure.• Rotate All Exposed SecretsReplace compromised or potentially exposed credentials, including AWS keys, Snowflake tokens, VPN accounts, and API tokens.• Defend Against Phishing and ImpersonationMonitor for social engineering attempts targeting employees or customers using leaked contact data.What FortiGuard Coverage is available?• FortiGuard Labs recommends users to follow best practices and enforce Zero-Trust Security to ensure minimal impact and sensitive data remains tightly restricted.• FortiGuard Labs Web-filtering Service blocks access to malicious domains, C2 servers, and or phishing sites associated with the campaign.• FortiGuard Labs has blocked all the known linked Indicators of Compromise (IOCs) and the team is continuously monitoring for new IOCs.• Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.
