UNC6040 Vishing Group

Cybersecurity researchers have uncovered a financially motivated threat group, identified as UNC6040, which has carved out a niche in voice phishing (vishing) campaigns. These attacks are specifically designed to infiltrate Salesforce environments, steal sensitive data at scale, and leverage the stolen information for extortion.

A Familiar Face: Links to 'The Com' Cybercrime Collective

UNC6040's tactics and behaviors suggest ties to The Com, a loose online cybercrime network. The group also shares operational similarities with Scattered Spider, another actor in the collective known for its IT support impersonation and credential targeting. However, their end goals differ, with Scattered Spider seeking broader access, while UNC6040 aims to exfiltrate Salesforce data.

Impersonation in Action: The Vishing Modus Operandi

The group's success stems from its use of highly convincing telephone-based social engineering. By posing as IT support personnel, often fluent English speakers, UNC6040 operators are able to manipulate employees into handing over credentials or performing actions that facilitate unauthorized access to corporate systems.

Exploiting Trust: The Modified Salesforce Data Loader Scheme

A standout tactic involves convincing victims to authorize a modified version of Salesforce's Data Loader, disguised under misleading names like 'My Ticket Portal.' This allows attackers to gain access to Salesforce's connected app interface, which they exploit to steal vast amounts of customer data from within the platform.

Beyond Salesforce: Lateral Movement and Broader Exploitation

Once inside, UNC6040 doesn't stop at Salesforce. The attackers pivot laterally across the network, harvesting data from other cloud platforms like Okta, Workplace, and Microsoft 365. This enables broader compromise and increases the value of the stolen information.

Delayed Payoff: Strategic Extortion Tactics

Interestingly, extortion attempts have often come months after the initial compromise, indicating a deliberate, strategic delay. These demands are sometimes accompanied by claims of affiliation with the notorious hacking group ShinyHunters, a move likely aimed at amplifying psychological pressure on victims.

Recon First: Vishing Backed by Automated Phone Surveillance

UNC6040 also leverages automated phone systems with recorded messages and menu options to gather reconnaissance. These systems reveal internal support numbers, common employee issues, application names, and system alerts, crucial intel for tailoring convincing vishing scenarios.

Social Engineering in the Age of Remote Work

The group benefits from the shift to remote IT support, where employees are accustomed to engaging with unfamiliar support personnel. This environment creates ideal conditions for deceptive social engineering, especially when paired with extensive reconnaissance.

Salesforce’s Response and Customer Warnings

Salesforce acknowledged the attacks in March 2025, warning customers about social engineering campaigns impersonating IT personnel. Attackers have been luring users to phishing pages or directing them to login.salesforce[.]com/setup/connect to approve malicious connected apps, typically modified versions of Data Loader under deceptive branding.

No System Vulnerability: Exploiting Human Weakness

Salesforce emphasized that these incidents stemmed from user manipulation, not any technical vulnerabilities in their systems. The attacks underscore how individual awareness and cybersecurity hygiene remain critical lines of defense, especially against voice phishing scams.

Persistent Threat: A Warning for the Future

The tactics employed by UNC6040 show that vishing remains a highly effective method for breaching enterprise defenses. Given the delay between initial access and extortion, more organizations could find themselves at risk in the coming weeks or months. Vigilance and robust internal controls will be key to mitigating this evolving threat.