Seqrite uncovers sophisticated Google Salesforce breach linked to UNC6040 threat group

Seqrite Labs revealed a major shift in intrusion tactics, where attackers used convincing vishing calls to impersonate IT staff, gained OAuth access to Salesforce, and deployed scripts to extract sensitive client data

Seqrite, the enterprise cybersecurity division of Quick Heal Technologies, has released a detailed threat intelligence report uncovering a sophisticated cyberattack that compromised Google’s corporate Salesforce platform in June 2025. The breach exposed sensitive data belonging to numerous small and medium-sized business (SMB) clients and was executed through a coordinated vishing-extortion campaign led by threat group UNC6040 — an actor linked to the notorious ShinyHunters collective.

According to Seqrite Labs, the attack marks a significant evolution in multi-vector intrusion strategies. Threat actors began by impersonating internal IT personnel in highly convincing voice phishing (vishing) calls. They tricked a Google employee into approving a malicious OAuth-connected application on Salesforce, which served as the entry point. From there, custom Python scripts mimicking Salesforce’s DataLoader tool were deployed to exfiltrate client details, including business names, contact information, and internal notes.

Broader global campaign and expanding threat landscape

The investigation further ties this breach to a broader campaign impacting major international brands such as Adidas, Qantas, Starbucks Singapore, Chanel, AT&T, Cisco, and Allianz Life. A related attack, attributed to UNC6395, targeted Salesloft Drift and exploited OAuth tokens to run unauthorized SOQL queries, impacting hundreds of Salesforce clients globally.

The attackers maintained operational anonymity using Mullvad VPNs during vishing calls and exfiltrated stolen data through the TOR network. Key domains linked to the campaign include ticket-dior.com and ticket-nike.com, with traffic routed through TOR exit nodes in the Netherlands, Poland, and Germany.

Seqrite researchers trace the threat actors to “The Com” — a decentralized cybercriminal community made up primarily of young individuals (ages 11–25) across the US, UK, and Canada. This group engages in SIM swapping, sextortion, swatting, and is reportedly shifting toward a ransomware-as-a-service model under the name “ShinySP1D3R.”

Detection, mitigation, and future risks

Seqrite warns that even “low-sensitivity” cloud SaaS data can be weaponized. The company recommends increased vigilance through behavioral analytics, dynamic OAuth app approvals, and voice verification systems. Their threat intelligence platform offers guidance on monitoring anomalous login behavior, particularly from unknown IP ranges, and emphasizes the need for enhanced defense-in-depth strategies as attackers increasingly rely on anonymization techniques.

The findings underscore the growing threat posed by sophisticated, youth-led cyber collectives and highlight urgent gaps in enterprise SaaS security posture.