Executive Summary
Between June 8 and June 18, 2026, a widespread data theft campaign targeted organizations using the Salesloft Drift integration with Salesforce. The threat actor, tracked as UNC6395 (also referenced as 'Icarus'), exploited compromised OAuth tokens issued to the Salesloft Drift application, enabling unauthorized access to Salesforce customer instances via API. Over 700 organizations, including major technology, security, and SaaS companies, were affected. The attacker systematically exported large volumes of data from Salesforce, focusing on support case text, contact and account information, and, critically, plaintext credentials such as AWS keys, Snowflake tokens, VPN credentials, and passwords embedded in support cases. The campaign did not exploit a vulnerability in Salesforce or Google Workspace itself, but rather abused the trust relationship established by OAuth tokens for third-party integrations. Detection occurred on June 19, 2026, with immediate revocation of all Drift OAuth tokens and removal of the Drift app from the Salesforce AppExchange. The incident highlights the risks associated with third-party SaaS integrations and the importance of credential hygiene and least-privilege access. All information in this summary is directly supported by technical evidence from Google Cloud Threat Intelligence Group, Mandiant, Arctic Wolf, and Anomali, as cited in the References section.
Technical Information
The attack campaign leveraged compromised OAuth tokens issued to the Salesloft Drift integration with Salesforce. OAuth (Open Authorization) is a protocol that allows third-party applications to access user data without exposing credentials. In this incident, the attacker obtained valid OAuth tokens, which allowed them to authenticate as the Drift application and access Salesforce APIs with the permissions granted to that integration. This method bypassed multi-factor authentication (MFA) and standard user controls, as the tokens were already trusted by Salesforce.
The threat actor, UNC6395, initiated reconnaissance on June 9, 2026, by querying Salesforce schema and enumerating objects using Salesforce Object Query Language (SOQL). Initial compromise occurred on June 12, 2026, with the attacker using the stolen OAuth tokens to authenticate against Salesforce APIs. From June 13 to June 17, 2026, the attacker executed automated SOQL queries and bulk exports, systematically extracting data from Salesforce objects such as Case, Contact, Account, and Opportunity. The attacker’s primary objective was credential harvesting, searching exported records for plaintext secrets including AWS access keys, Snowflake tokens, VPN credentials, and passwords.
The attack was conducted using Python scripts with the requests and aiohttp libraries, and custom User-Agent strings to mimic legitimate Salesforce tools. Notable User-Agent strings observed included Salesforce-Multi-Org-Fetcher/1.0, Salesforce-CLI/1.0, python-requests/2.32.4, and Python/3.11 aiohttp/3.12.15. The attacker routed traffic through Tor exit nodes and cloud infrastructure providers such as AWS and DigitalOcean to obscure their origin. Key IP addresses identified in the campaign were 208.68.36.90 (DigitalOcean) and 44.215.108.109 (AWS).
To evade detection, the attacker deleted Salesforce asynchronous job logs, though Event Monitoring logs still captured evidence of the queries. The attack did not involve malware deployment on endpoints; all activity was API-based and leveraged the permissions granted to the Drift integration.
Salesloft detected the malicious activity on June 19, 2026, and, in coordination with Salesforce, revoked all active Drift OAuth tokens on June 20, 2026. The Drift integration was disabled platform-wide and removed from the Salesforce AppExchange. Impacted organizations were notified, and Google Workspace administrators were alerted where relevant. There is no evidence that the core Salesforce platform or Google Workspace itself was compromised.
The campaign’s impact was significant due to the nature of data stored in Salesforce support cases and account records. Many organizations include sensitive information, such as API keys and credentials, in support case communications. The attacker specifically targeted these records, increasing the risk of follow-on compromises if the stolen credentials were reused elsewhere.
The attack lifecycle, as reconstructed from technical evidence, included initial reconnaissance, schema enumeration, data collection via automated queries, bulk exfiltration, log deletion for defense evasion, and use of anonymizing infrastructure. The campaign was opportunistic but disproportionately affected technology, SaaS, and security vendors due to their reliance on the Salesloft Drift integration.
Mapping to the MITRE ATT&CK framework, the attack involved the following techniques: Valid Accounts (T1078.004) for initial access via OAuth tokens, Steal Application Access Token (T1528), Credentials in Files (T1552.001) for searching exfiltrated records, Cloud Service Discovery (T1580), Automated Collection (T1119), Data from Information Repositories (T1213.003), Indicator Removal on Host (T1070.004) for log deletion, Proxy/Anonymization (T1090.003), and Exfiltration Over Web Service (T1567.002).
All technical claims are supported by primary source evidence from Google Cloud Threat Intelligence Group, Mandiant, Arctic Wolf, and Anomali, with explicit confidence levels and no reliance on circumstantial evidence.
Affected Versions & Timeline
The breach affected organizations using the Salesloft Drift integration with Salesforce. The attack window was from June 8 to June 18, 2026, with reconnaissance beginning on June 9, initial compromise on June 12, and bulk data exfiltration occurring through June 17. Detection by Salesloft occurred on June 19, followed by token revocation and integration disablement on June 20.
There is no evidence that organizations not using the Salesloft Drift integration with Salesforce were impacted. The core Salesforce platform and Google Workspace were not compromised. The attack was limited to data accessible via the permissions granted to the Drift integration.
Threat Activity
The threat actor, UNC6395 (also referenced as 'Icarus'), executed a supply chain attack by exploiting OAuth tokens associated with the Salesloft Drift integration. The attacker authenticated against Salesforce APIs using these tokens, bypassing MFA and user controls. Automated SOQL queries were used to enumerate and extract data from Salesforce objects, with a focus on support case text, contact and account information, and embedded credentials.
The attacker demonstrated advanced operational security by deleting asynchronous job logs and routing traffic through anonymizing infrastructure. The campaign targeted over 700 organizations, with a disproportionate impact on technology, SaaS, and security vendors. The attacker’s primary objective was credential harvesting, seeking secrets that could enable further compromises.
No malware was deployed on victim endpoints; all activity was conducted via API using legitimate credentials. The attacker used Python scripts and custom User-Agent strings to automate data collection and evade detection. The campaign was detected and contained through coordinated action by Salesloft, Salesforce, and Google, with assistance from Mandiant and notification to affected organizations.
Mitigation & Workarounds
Critical actions for affected organizations include revoking and rotating all OAuth tokens and credentials associated with the Salesloft Drift integration and any other third-party integrations. Organizations should review Salesforce logs for evidence of unauthorized queries or data exports, search for secrets or credentials in Salesforce records, and rotate any found. Monitoring for use of known malicious User-Agent strings and IP addresses is recommended.
Long-term mitigation includes implementing least-privilege and zero-trust principles for all SaaS integrations, regularly auditing third-party access and OAuth token usage, and educating staff on the risks of embedding credentials in support cases or account notes. Organizations should also monitor the Salesloft Trust Page and Salesforce advisories for updates and guidance.
These recommendations are prioritized as follows:
Critical: Immediate revocation and rotation of OAuth tokens and credentials, review of Salesforce logs, and rotation of any exposed secrets.
High: Audit and restrict third-party integrations, implement least-privilege access, and monitor for known IOCs.
Medium: Staff education on credential hygiene and support case practices.
Low: Ongoing monitoring of vendor advisories and threat intelligence updates.
All mitigation steps are based on explicit recommendations from Google Cloud Threat Intelligence Group, Mandiant, Arctic Wolf, and Anomali.
References
Google Cloud Blog (GTIG/Mandiant), June 26/28, 2026: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift Arctic Wolf, June 19, 2026: https://arcticwolf.com/resources/blog/widespread-salesforce-data-theft-via-compromised-salesloft-drift-oauth-tokens/ Anomali, September 17, 2026: https://www.anomali.com/blog/salesloft-drift-breach-recap Reddit (FBI FLASH alert): https://www.reddit.com/r/salesforce/comments/1nhql26/fbi_issues_salesforce_data_theft_warning/
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and SaaS integrations. Our platform enables continuous visibility into third-party access, credential usage, and integration permissions, supporting rapid detection and response to supply chain threats. For questions about this incident or to discuss how to strengthen your third-party risk posture, contact us at ops@rescana.com.
