Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • When Trusted Integrations Turn Hostile: The 2025 Salesforce OAuth Attacks current page
Link copied

When Trusted Integrations Turn Hostile: The 2025 Salesforce OAuth Attacks

Jul 10, 2026

Learn how the 2025 Salesloft Drift and Gainsight attacks abused Salesforce OAuth trust relationships to enable SaaS-to-SaaS lateral movement and large-scale data theft.

Authors:
Christopher Calvani Headshot 2025
Christopher Calvani | @nulvox 
Security Researcher
400x400 Linkedin X Profile
Phantom Labs™
BeyondTrust
Salesforce O Auth Attacks
When Trusted Integrations Turn Hostile: The 2025 Salesforce OAuth Attacks
Christopher Calvani Headshot 2025
Christopher Calvani | @nulvox 
Security Researcher
400x400 Linkedin X Profile
Phantom Labs™
BeyondTrust

SaaS-to-SaaS Lateral Movement Via Salesforce OAuth Integrations

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

Modern Salesforce deployments don’t exist in isolation. They are hubs in a web of SaaS integrations, connected to marketing platforms, customer success tools, chat agents, email systems, and data warehouses through OAuth tokens and API credentials. Each of these connections represents a trust relationship: one application granting another the right to access data and perform actions on its behalf.

In 2025, attackers proved that these trust relationships are not just a theoretical risk. Two major supply chain campaigns (Salesloft Drift and Gainsight) demonstrated that compromising a single connected application can unlock access to hundreds of Salesforce environments simultaneously, bypassing multi-factor authentication (MFA), evading traditional detection, and enabling data theft at scale. This blog aims to break down how these attacks worked, what made them possible, and what security teams can do about it.

Salesforce as a SaaS Integration Hub

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

Before we go ahead and look at the attacks, it is helpful to understand why Salesforce is such an attractive target for this kind of lateral movement. Salesforce is not just a customer relationship manager (CRM) solution. For many organizations, it also functions as a central data repository that dozens of other platforms depend on. Customer success tools like Gainsight pull account health data from it. Sales engagement platforms like Salesloft sync call logs, emails, and chat interactions into it. Support platforms, analytics tools, and marketing automation systems all connect to it through OAuth-authorized integrations.

Figure 1: Salesforce as the hub of a web of OAuth connected applications.

Each integration is authorized through a connected app, which uses OAuth to establish a trust relationship between the external service and the Salesforce organization. When an administrator authorizes a connected app, Salesforce issues OAuth tokens that grant the external application persistent API access. These tokens operate with the permissions of the authorizing user and the OAuth scopes defined by the connected app. The refresh token is especially significant: it allows the external application to request new access tokens without user interaction, often for months or indefinitely.

This creates a web of persistent, privileged connections that most security teams do not actively monitor. The tokens bypass MFA, operate outside normal login flows, and can access data through the same APIs available to any authenticated user including the REST API, Bulk API, and SOQL (Salesforce Object Query Language) query interface. An attacker who obtains one of these tokens inherits all that access without ever touching a username or password.

The Salesloft Drift Campaign

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

In August 2025, the threat actor tracked as UNC6395 executed one of the most significant SaaS supply chain attacks to date. The attack targeted Salesloft’s Drift chatbot integration - a connected app that many organizations had authorized to sync with their Salesforce environments.

How UNC6395 Exploited the Drift OAuth Tokens

Figure 2: The Drift compromise starting from the GitHub initial access to token theft, bulk exfiltration, and credential harvesting.

UNC6395 compromised OAuth tokens associated with the Drift application. The compromise did not begin at Salesforce or even at Drift. Mandiant's investigation found that the attackers first sat inside Salesloft's GitHub account from March through June 2025, pulling content from multiple repositories and running reconnaissance, before pivoting into Drift's AWS environment and taking the OAuth tokens for its customer integrations. How they got into the GitHub account in the first place was never disclosed. These were not stolen from individual Salesforce organizations; they were obtained through the Drift integration itself, which meant that a single compromise gave the attackers valid tokens for every Salesforce environment connected to Drift. Over a ten-day window, from about August 8th to the 18th, the attackers were able to use these tokens to authenticate directly to Salesforce’s APIs across more than 700 organizations.

Once inside, the attackers operated methodically. They ran reconnaissance SOQL queries to enumerate the available Salesforce objects and measure record volumes. That measuring step was deliberate. The attackers ran COUNT() queries in SOQL against each object to size the datasets before exporting anything, effectively calibrating the bulk job instead of blindly pulling. They then used the Bulk API to export large datasets primarily from the Account, Contact, Case, Opportunity, and User objects. The exfiltration was automated using Python tooling with asynchronous libraries like aiohttp that minimized time on target and allowed for mass data extraction.

Critically, the primary objective was not the CRM data itself. After exfiltrating records, UNC6395 systematically scanned the stolen data for embedded secrets: AWS access keys, Snowflake tokens, VPN (virtual private network) credentials, API keys, and passwords that had been inadvertently stored in support case records, custom fields, and case comments. The scanning was not manual. UNC6395 turned TruffleHog, an open-source secrets scanner, loose on the stolen records, combining them for exposed keys and tokens at scale. These harvested credentials were then available for follow-on attacks against entirely separate systems that turned the Salesforce breach into a launchpad for broader compromise.

A Closer Look: Cloudflare’s Disclosure

Cloudflare’s public incident report provides one of the most detailed views into how this attack played out against a specific organization. Their forensic investigation reconstructed the attacker’s timeline: initial reconnaissance on August 9 followed by access to Cloudflare’s Salesforce tenant using the stolen Drift credential. On August 12, the attacker switched to new infrastructure and launched a Bulk API 2.0 export job (Salesforce's high-volume data export tool) that exfiltrated the text content of Cloudflare’s support cases in just over three minutes. The attacker then deleted the API job to cover their tracks.

Crucially, Cloudflare was not notified by Salesloft or Salesforce until August 23rd until six days after the last observed attacker activity. This delay is significant. It gave the attacker time to operate, exfiltrate, and clean up before anyone knew to look.

The Gainsight Campaign

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

The Salesloft Drift attack was not the end of the story. Just a few months after the Salesloft Drift attack, in November 2025, a second campaign struck Gainsight, which is a widely used customer success platform that also integrates deeply with Salesforce through OAuth-authorized connected apps. The threat actor tracked as UNC6240 claimed responsibility, and there is a direct lineage between the two incidents: Gainsight itself had been one of the organizations affected by the earlier Salesloft Drift breach, and the attackers reportedly used secrets stolen in that first campaign to compromise Gainsight’s internal credentials and OAuth refresh tokens.

The pattern was nearly identical to the Drift campaign. On November 19th, Salesforce detected API calls originating from non-allowlisted IP addresses through Gainsight’s connected apps. The attackers had obtained OAuth refresh tokens associated with Gainsight’s Salesforce integrations and were using them to access customer Salesforce data the same way Gainsight itself would normally access that data. UNC6240 later claimed they accessed approximately 285 additional Salesforce instances through this second wave.

Salesforce responded by revoking all active access and refresh tokens associated with Gainsight-published applications and temporarily removing them from the AppExchange. Gainsight disabled its connectors to HubSpot, Zendesk, and other third-party integrations out of caution and engaged Mandiant for forensic investigation. The ripple effects were significant, disrupting customer success workflows, data synchronization, and support processes across Gainsight’s customer base.

What makes the Gainsight incident especially notable is the chain of lateral movement. The Drift breach led to credential harvesting, which led to the Gainsight compromise, which led to a second wave of Salesforce data theft. This is SaaS-to-SaaS lateral movement in practice: an attacker moving not between servers on a network, but between cloud platforms connected by trust relationships.

Why Detection Failed

Both campaigns were hard to catch, and for much the same reasons. In each case the attackers presented OAuth tokens that had been legitimately issued to a trusted connected app, Drift in one campaign, Gainsight in the other. Every API call looked like authorized activity from an integration the organization had already approved. There was no login to flag, no password, and no MFA challenge to trip an alarm. To the Salesforce environments on the receiving end, it looked like Drift and Gainsight doing exactly what they always do.

The rest of the tradecraft reinforced that cover. Traffic rode over standard HTTPS, no malware was deployed, and no endpoints were touched, so EDR (endpoint detection and response), SIEM (security information and event management) rules tuned for login anomalies, and network intrusion detection were all effectively blind. In the Drift campaign the attackers went further, using custom user-agent strings to mimic legitimate Drift traffic and deleting the Bulk API job records once their exports finished, erasing the most obvious forensic artifacts.

Where activity did surface, it tended to come from the platform layer rather than the victims' own tooling. In the Gainsight campaign it was Salesforce that flagged the API calls arriving from non-allowlisted IP addresses on November 19. Organizations without Salesforce Event Monitoring enabled or that weren't actively reviewing API access logs and SOQL query events had very limited visibility of their own. Defending against this pattern depends on watching integration and token activity, not user logins.

Anatomy of an OAuth Token Attack

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

Both attacks followed an attack pattern that security teams need to understand. The mechanics are straightforward, which is why these attacks are so dangerous. There’s nothing special about it; just the systematic abuse of how SaaS integrations are designed to work.

  • Step 1: Compromise the integration, not the target. The attackers never targeted Salesforce directly. They compromised third party applications that held OAuth tokens which granted access to customer Salesforce environments.
  • Step 2: Use the token, not the login. OAuth tokens bypass the normal authentication flow entirely. There is no username, no password, and no MFA challenge. The token is passed to the Salesforce API and the platform treats the request as authorized. This is why traditional identity security controls are ineffective against this attack vector.
  • Step 3: Enumerate and exfiltrate. Once authenticated into the platform, the attackers used SOQL queries to enumerate available objects and used the Bulk API for high-volume data extraction.
  • Step 4: Harvest credentials for the next hop. Attackers scanned the exfiltrated data for embedded secrets, which could then be used for lateral movement.
  • Step 5: Clean up. In some environments, the attackers deleted the Bulk API job records and other artifacts to cover their tracks. Organizations without robust Salesforce monitoring had limited ability to reconstruct what had happened after the incident.

Detection and Mitigation: How to Stop SaaS-to-SaaS Token Abuse

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

These attacks succeed because they exploit blind spots in how most organizations approach Salesforce security. The focus is usually on user permissions and login activity, while the integration layer where the real lateral movement happens, goes largely unmonitored. Addressing this requires changes in both visibility and practice.

Audit Your Connected Apps

Every connected app in your Salesforce environment represents a trust relationship with an external system. Security teams should maintain a complete inventory of these integrations and regularly review which OAuth scopes each app has been granted, which user authorized it, and whether the integration is still actively needed. Connected apps authorized with scopes broader than their function requires should be revoked.

Monitor Token Activity, Not Just Logins

Both campaigns were invisible to login-based monitoring because no one ever logged in. Detection depends on monitoring API activity: which connected apps are making requests, what SOQL queries are being executed, if Bulk API jobs are being created, and if data volumes are abnormal. Salesforce Event Monitoring provides the telemetry needed to surface these signals, but it must be enabled and the logs must be reviewed or fed into a detection pipeline.

Detecting Anomalous Integration Behavior

Rule-based monitoring catches known-bad patterns, but the defining feature of these campaigns was that the activity looked legitimate. A more promising direction is behavioral: learning what normal looks like for each connected app and flagging departures from it. Every integration has a characteristic rhythm like how many API requests it makes per hour, which objects it touches, or the source addresses it connects from. A model that establishes a rolling per-app baseline can surface the moment an integration starts behaving unlike itself: a sharp spike in request volume, a reach into objects it never normally queries, or traffic from a source it has never used before. Because it compares an app only against its own history, this kind of approach holds the potential to flag a compromised Drift or Gainsight token, even when every individual request is technically authorized. That is precisely the gap that login-based monitoring leaves open.

Mapping the Trust Relationships

The fundamental challenge exposed by both the Salesloft Drift and Gainsight campaigns is that most organizations have no clear picture of how their SaaS applications are connected or what the blast radius of a single compromised integration might be. Connected apps, OAuth scopes, integration users, and the data objects they can reach form a complex web of trust relationships that extends well beyond the Salesforce organization boundary.

This is where an entitlement graph model would become relevant. Think of it as a map where every connected app, OAuth scope, and Salesforce object is a point, and every permission is a line connecting them. By modeling connected apps, their OAuth scopes, the integration users they authenticate as, and the Salesforce objects they can access as nodes and edges in a graph, security teams can visualize the full blast radius of a compromised integration before it happens. Which connected apps have access to the Case object? Which integrations can use the Bulk API? If this token is stolen, what data can an attacker reach?

Figure 3: How one connected application’s access flows through integration users and permissions to reachable Salesforce objects.

These are the questions that determine whether a compromised integration is a contained incident or a cascade. Answering them requires treating integrations as security principals with the same rigor applied to human users, something few organizations do today.

These incidents also point to where identity risk is shifting. An OAuth token is one type of non-human identity. It authenticates, carries privileges, and can act on its own with no person driving it, yet most identity programs still center on human accounts and give machine identities far less scrutiny. As integrations, service accounts, and AI Agents multiple, governing these NHIs with the same rigor applied to human users is becoming one of the defining security problems of the foreseeable future.

The Takeaway: Your Salesforce Perimeter Extends to Every Connected App

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

The Salesloft Drift and Gainsight breaches represent a shift in how threat actors attack enterprise environments. Instead of targeting organizations directly, they target the connections between them. A single compromised integration unlocked access to hundreds of Salesforce environments. Stolen CRM data yielded credentials that enabled further lateral movement to entirely separate platforms. No malware was deployed. No vulnerabilities were exploited. The attackers simply used the trust relationships that organizations had already established.

For security teams, the lesson is clear: your Salesforce security posture does not end at the boundary of your Salesforce organization. Every connected app, every OAuth token, and every integration user extends that boundary into external systems you may not control. Understanding and mapping those connections is no longer optional, it is a requirement for defending against the attacks that are already happening.

Explore More from Phantom Labs Research

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

Phantom Labs™ researchers "think like attackers" to expose privilege escalation paths and identity attack vectors, helping defenders proactively uncover misconfigurations and detect threats in complex hybrid and cloud environments. Using advanced graph modeling, Phantom Labs researchers map attack paths to privileged access across cloud and on-premises infrastructure.

About the Author

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied
Christopher Calvani Headshot 2025
Christopher Calvani | @nulvox 
Security Researcher

Christopher Calvani is a Security Researcher on BeyondTrust’s research team, where he blends vulnerability research with detection engineering to help customers stay ahead of emerging threats. A recent graduate of the Rochester Institute of Technology with a Bachelor of Science in Cybersecurity, Christopher previously supported large‑scale infrastructure at Fidelity Investments as a Systems Engineer intern and advanced DevSecOps practices at Stavvy.

400x400 Linkedin X Profile
Phantom Labs™
BeyondTrust

BeyondTrust Phantom Labs™ believes the best way to fully understand cybersecurity threats is to work closely with our customers and partners, conducting real world research into the attacks that matter most to them. By dissecting emerging attack methods and exploitation techniques of threat actors, as well as conducting novel research, the team’s mission is to help organizations defend against identity threats. 

Continue Reading

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied
Blog
Detecting Hidden Privilege with Machine Learning: Anomaly Detection in BeyondTrust’s True Privilege Graph
Latest Posts
  • Trusted Execution and Security Boundaries in ServiceNow: How ACLs, Scopes, and Restricted Caller Access Work Together
    Jul 2, 2026 Trusted Execution and Security Boundaries in ServiceNow: How ACLs, Scopes, and Restricted Caller Access Work Together
    Blog
    5m
  • Microsoft Security in 2026: Top Vulnerability Trends from the BeyondTrust Microsoft Vulnerabilities Report
    Jul 2, 2026 Microsoft Security in 2026: Top Vulnerability Trends from the BeyondTrust Microsoft Vulnerabilities Report
    Blog
    8m
  • Popping Microsoft’s Sandbox: Dataverse Security Risks in Plugin Containers
    Jun 24, 2026 Popping Microsoft’s Sandbox: Dataverse Security Risks in Plugin Containers
    Blog
    5m
  • Mapping Every Privilege Escalation Path in AWS AgentCore
    Jun 15, 2026 Mapping Every Privilege Escalation Path in AWS AgentCore
    Blog
    12m
  • Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Jun 12, 2026 Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Blog
    7m
Related
  • Modern PAM Defined: What It Is, and Why It’s Needed
    Jan 29, 2025 Modern PAM Defined: What It Is, and Why It’s Needed
    Blog
    8m
  • Securing Operational Technology (OT) with Privileged Remote Access and Network Tunnels
    Sep 13, 2024 Securing Operational Technology (OT) with Privileged Remote Access and Network Tunnels
    Blog
    9m
Share this Article
  • Link
Tags
  • BeyondTrust Phantom Labs
  • Phantom Labs
  • Phantom Labs Research
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.