Google uncovers voice phishing campaign targeting Salesforce users

Google’s Threat Intelligence team has uncovered a sophisticated voice phishing (vishing) campaign that targets Salesforce users to steal sensitive business data and demand ransoms. 

What happened

Google’s Threat Intelligence Group (GTIG) has identified a sophisticated campaign in which attackers use voice phishing (vishing) to trick employees into granting access to Salesforce environments, then steal data and issue extortion demands. 

The adversary cluster, tracked as UNC6040, has refined its tactics: impersonating IT support over phone calls, persuading victims to install or authorize a malicious “connected app” in Salesforce (often a modified Data Loader tool), and then extracting data. 

Following data theft, the threat actors sometimes rebrand themselves (or “partner”) as UNC6240, claiming affiliation with ShinyHunters, and contact victims demanding bitcoin payments within 72 hours. 

Google also revealed that one of its own corporate Salesforce instances was impacted, though only basic business contact information was retrieved, and Google quickly responded to cut off access. 

Going deeper

The campaign is notable for combining traditional social engineering (vishing) with deeper platform abuse. Attackers call legitimate users, pose as IT personnel, and guide them to approve a malicious app via Salesforce’s “connected app” mechanism. That app can then query or export data. The attackers also use anonymization tactics, VPN IPs (e.g. Mullvad), TOR, and compromised accounts to obscure their activity and complicate attribution.

In several observed cases, extortion demands were delayed, sometimes by months, after the initial breach. This suggests either patience by the attacker or involvement of separate actors who later monetize access. The extortion messages (often via email or voice calls) threaten to leak or publish stolen data unless a bitcoin ransom is paid within 72 hours. 

Such tactics of delayed extortion, real-time voice pressure, and the threat of public exposure increase anxiety and urgency for victims.

What was said 

In their blog, Google states that UNC6040 is “a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns specifically designed to compromise organizations' Salesforce instances for large-scale data theft and subsequent extortion. Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements.”

Furthermore, they state that “[They] have since shifted to using custom applications … typically Python scripts that perform a similar function … following this initial engagement, the data collection is automated … through TOR IPs, a change that further complicates attribution and tracking efforts.”

In the know

Vishing, short for voice phishing, is a type of social engineering attack where cybercriminals use phone calls to trick victims into revealing sensitive information or performing actions that compromise security. Unlike traditional phishing emails or texts, vishing relies on human manipulation over voice communication, often creating a false sense of urgency or authority.

Because vishing exploits trust rather than technology, even organizations with strong technical defenses can fall prey. Security experts emphasize continuous employee training, verification of unexpected calls, and multi-factor authentication as key defenses against these increasingly sophisticated voice-based scams.

Why it matters

According to Verizon’s 2025 DBIR (Data Breach Investigations Report), phishing is one of the “top causes of costly data breaches.” The vishing campaign uncovered by Google exemplifies this trend; attackers didn’t exploit flaws in Salesforce itself, but instead manipulated employees into granting access through convincing voice-based social engineering. As phishing and vishing tactics evolve, the Google case serves as a reminder that even organizations with advanced security infrastructure are only as strong as their users’ ability to detect deception.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

How does vishing differ from phishing?

While phishing uses deceptive emails or texts, vishing occurs over phone calls, leveraging real-time human interaction to increase credibility and pressure victims into compliance.

How do attackers make their vishing calls seem legitimate?

Attackers often spoof caller IDs, use familiar company terminology, or reference real internal systems to build trust. They may also time calls during busy periods or after genuine security alerts to make their stories more believable.