Threat Signal Report

Salesloft Drift Supply Chain Attack

What is the Attack?	Threat actors tracked as UNC6395 exploited the Salesloft Drift integration, a SaaS AI chatbot tool linked to Salesforce and other platforms, to steal OAuth and refresh tokens. These tokens allowed them to bypass normal authentication controls and gain access to target environments without directly breaching Salesforce accounts. The attackers then systematically exported sensitive credentials from dozens, and potentially hundreds, of Salesforce customer instances. Exfiltrated data included AWS access keys, Snowflake authentication tokens, VPN credentials, passwords, and API keys. With these tokens, UNC6395 was able to infiltrate not only Salesforce but also Google Workspace, Cloudflare, Zscaler, Palo Alto Networks, and other connected systems. This expanded the impact well beyond CRM data, exposing a wide range of enterprise environments. While initial reports suggested the breach was limited to Salesforce integrations, subsequent investigations confirmed that all Salesloft Drift integrations should be considered compromised.
What is the recommended Mitigation?	• Review Salesloft Advisory and any other partner advisory affected by the breach. Salesloft Trust Portal \| Widespread Data Theft Targets Salesforce Instances via Salesloft Drift \| Google Cloud Blog • Revoke and Reissue Tokens Immediately disconnect and regenerate all tokens associated with Salesloft Drift and any connected integrations. • Audit and Monitor Activity Review logs in Salesforce, Google Workspace, and other integrated platforms for signs of unusual data exports, hidden jobs, or suspicious API calls. • Tighten Integration Permissions Enforce least privilege, restrict API scopes, and apply IP-based access controls to reduce exposure. • Rotate All Exposed Secrets Replace compromised or potentially exposed credentials, including AWS keys, Snowflake tokens, VPN accounts, and API tokens. • Defend Against Phishing and Impersonation Monitor for social engineering attempts targeting employees or customers using leaked contact data.
What FortiGuard Coverage is available?	• FortiGuard Labs recommends users to follow best practices and enforce Zero-Trust Security to ensure minimal impact and sensitive data remains tightly restricted. • FortiGuard Labs blocks access to malicious domains, C2 servers, or phishing sites associated with the campaign. • FortiGuard Labs has blocked all the known linked Indicators of Compromise (IOCs) and the team is continuously monitoring for new IOCs. • Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Additional Resources

Google Threat Intelligence Group
Bleeping Computer
Security Week
Salesloft
ic3.gov- CSA