Google Unveils Vishing Campaign Targeting Salesforce by Threat Group UNC6040
June 4, 2025
In a recent disclosure, Google has revealed insights into a financially motivated threat group known as UNC6040, which is reportedly executing sophisticated voice phishing, or vishing, operations aimed at infiltrating Salesforce instances. These attacks focus on large-scale data theft followed by extortion attempts. Google’s Threat Intelligence Group (GTIG) has been actively tracking this cluster, which shares characteristics with cybercrime networks aligned with an organization referred to as “The Com.”
Over the past several months, UNC6040 has significantly refined its tactics, achieving notable success in breaching corporate networks. The group executes these attacks by masquerading as IT support personnel, engaging targets in convincing telephone-based social engineering interactions. This strategy has proven particularly effective in deceiving English-speaking employees into unwittingly granting the attackers access to sensitive information or performing actions that compromise security.
The operational approach adopted by UNC6040 highlights increased sophistication in adversary tactics. Their use of social engineering tactics falls under the MITRE ATT&CK framework, where they likely employ techniques associated with initial access. Specifically, the act of impersonating trusted personnel to manipulate individuals into providing sensitive data or access aligns with established adversary behaviors.
The targeting of Salesforce systems points to a broader trend where cybercriminals are increasingly focusing on high-value data repositories to maximize their financial gains. The nature of the Salesforce platform, which is utilized by numerous organizations for critical business operations, makes it an enticing target for such attacks. The breach of such a system not only leads to substantial data theft but also opens the door for serious extortion threats against organizations caught unawares.
As businesses continue to navigate the complexities of cybersecurity, this incident underscores the importance of training staff to recognize and respond to social engineering tactics. Employees must be equipped with the skills to verify the identity of individuals claiming to be from IT or support teams, particularly in situations where sensitive actions are requested.
In response to the evolving threat landscape, organizations are encouraged to implement robust security measures. This includes employing multi-factor authentication, regularly updating software, and conducting comprehensive training that focuses on identifying potential phishing attempts. Being proactive in these areas can significantly mitigate risks associated with vishing and similar attacks.
The emergence of groups like UNC6040 serves as a reminder that cybercriminals are continuously adapting their methods. As companies enhance their defenses, understanding and anticipating the tactics used in these attacks becomes crucial for safeguarding sensitive information and maintaining organizational integrity in an increasingly digital world.
