The Voice of Deception: How Elite Phone Scammers Are Hijacking Corporate Salesforce Data

Google's Threat Intelligence Group has uncovered a sophisticated cybercriminal operation that represents a new evolution in corporate social engineering attacks. The threat group, designated UNC6040, has developed highly refined voice phishing (vishing) techniques specifically designed to infiltrate organizational Salesforce environments for large-scale data theft and subsequent extortion activities.

Threat Actor Profile and Attribution

Google's cybersecurity researchers are monitoring this financially motivated threat cluster under the designation UNC6040, which demonstrates operational characteristics consistent with cybercriminal groups associated with The Com, a well-known online criminal collective. The threat actor's activities suggest professional-level organization and coordination typical of established cybercrime syndicates.

Connection to Known Criminal Networks

UNC6040 exhibits tactical overlaps with other threat groups linked to The Com collective, particularly in their targeting methodologies and social engineering approaches. The group shares operational similarities with Scattered Spider, another financially motivated actor within the same criminal ecosystem, though their objectives and execution methods differ significantly.

Sophisticated Social Engineering Methodology

IT Support Impersonation Strategy

UNC6040 has demonstrated exceptional proficiency in telephone-based social engineering campaigns over recent months. According to Google's Threat Intelligence Group, the operators have achieved "repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements."

The attackers specifically target English-speaking employees, leveraging cultural familiarity and language fluency to enhance the credibility of their impersonation attempts. This linguistic targeting suggests either native English speakers within the criminal organization or highly trained operators with advanced language skills.

Psychological Manipulation Techniques

The success of UNC6040's operations relies heavily on their ability to manipulate victims into performing actions that compromise organizational security. Through carefully crafted conversations, the threat actors trick employees into:

• Sharing valuable authentication credentials
• Performing actions that grant unauthorized system access
• Divulging sensitive organizational information
• Authorizing malicious applications and services

Technical Attack Methodology

Salesforce Data Loader Exploitation

A particularly sophisticated element of UNC6040's operations involves the manipulation of Salesforce's legitimate Data Loader application. The threat actors employ a modified version of this official Salesforce tool, which is normally used for bulk data import, export, and update operations within the Salesforce platform.

During vishing attacks, the criminals guide their targets through a deceptive authorization process:

1. Deceptive Navigation: Victims are instructed to visit Salesforce's connected app setup page
2. Fraudulent Authorization: Targets are convinced to approve the modified Data Loader application
3. Brand Impersonation: The malicious app appears under alternative names or branding (such as "My Ticket Portal") to avoid detection
4. Unauthorized Access: Once authorized, the modified application provides the attackers with direct access to the organization's Salesforce customer environment

Data Exfiltration and Lateral Movement

Following successful initial access, UNC6040 operators execute comprehensive data theft operations. The Salesforce breach serves as a launching point for broader network infiltration, with attackers systematically expanding their access to additional corporate platforms including:

• Okta identity management systems
• Workplace collaboration platforms
• Microsoft 365 productivity suites

This multi-platform approach demonstrates the group's understanding of modern corporate IT ecosystems and their interconnected nature.

Advanced Reconnaissance and Intelligence Gathering

Automated Phone System Weaponization

UNC6040 has developed innovative reconnaissance techniques using automated phone systems equipped with pre-recorded messages and interactive menu structures. These systems enable the threat actors to anonymously gather crucial intelligence about target organizations, including:

• Common Technical Issues: Understanding frequent problems faced by employees
• Internal Application Names: Identifying specific software and systems in use
• Support Team Structure: Mapping internal IT support hierarchies and contact information
• Company-wide Technical Alerts: Awareness of ongoing technical issues that can be leveraged in social engineering scenarios

Strategic Intelligence Collection

As noted by Mandiant Incident Response team member Nick Guttilla, "effective social engineering campaigns are built upon extensive reconnaissance." The threat actors invest significant resources in understanding their targets before initiating contact, leveraging the normalized remote IT support environment where employees regularly interact with external or unfamiliar technical personnel.

Monetization and Extortion Operations

Delayed Extortion Strategy

UNC6040 employs a distinctive approach to monetizing their criminal activities, waiting "several months" after initial network compromises before initiating extortion demands. This delayed approach suggests several strategic considerations:

• Data Value Assessment: Time to evaluate the full scope and value of stolen information
• Partnership Coordination: Potential collaboration with secondary threat actors specialized in extortion
• Detection Avoidance: Reducing the likelihood of connecting extortion activities to the original breach

ShinyHunters Brand Exploitation

During extortion attempts, UNC6040 has claimed affiliation with ShinyHunters, a well-established hacking group, "likely as a method to increase pressure on their victims." This false flag operation demonstrates sophisticated psychological manipulation designed to enhance the perceived threat level and increase victim compliance with ransom demands.

Vendor Response and Industry Impact

Salesforce Security Advisory

In March 2025, Salesforce issued comprehensive warnings to customers about the ongoing threat campaign. The company identified several key attack vectors being exploited by the threat actors:

• Credential Harvesting: Directing victims to phishing pages designed to steal login credentials and multi-factor authentication tokens
• Malicious App Authorization: Guiding users to Salesforce's connected app setup page to authorize fraudulent applications
• Data Loader Manipulation: Using modified versions of legitimate Salesforce tools published under alternative names and branding

Platform Security Clarification

Salesforce emphasized that all observed incidents relied on social engineering manipulation of end users rather than exploitation of platform vulnerabilities. The company stated that "Salesforce has enterprise-grade security built into every part of our platform, and there's no indication the issue described stems from any vulnerability inherent to our services."

Broader Security Implications

Evolution of Social Engineering Threats

The UNC6040 campaign represents a significant evolution in corporate-targeted social engineering attacks. The sophistication of their vishing operations, combined with technical manipulation of legitimate business applications, demonstrates how cybercriminals are adapting to modern remote work environments and cloud-based business platforms.

Future Threat Projections

Google's analysis suggests that additional organizations may face extortion demands in the coming weeks or months, given the extended timeframe between initial compromises and monetization attempts. The success of UNC6040's refined vishing tactics indicates that this approach will likely remain an effective attack vector for financially motivated threat groups.

Remote Work Security Challenges

The campaign highlights specific vulnerabilities created by remote work environments and outsourced IT support structures. The normalization of interactions with external technical personnel has created opportunities for social engineering attacks that were previously more difficult to execute in traditional office environments.

Defense and Mitigation Recommendations

Organizations should implement comprehensive defenses against sophisticated vishing attacks, including enhanced employee training on social engineering recognition, strict verification procedures for IT support interactions, and robust monitoring of application authorizations within cloud platforms like Salesforce. The success of UNC6040's operations underscores the critical importance of treating voice-based social engineering as a serious cybersecurity threat requiring dedicated defensive measures.