Between August 8–18, 2025, a threat actor used compromised OAuth credentials in the Salesloft-Drift integration to exfiltrate large volumes of Salesforce data (Account, Contact, Case, Opportunity) and scanned that data for credentials. Salesloft revoked active Drift tokens and notified impacted customers while Palo Alto Networks Unit 42 urges urgent investigation, credential rotation, and log-based hunting. #Salesloft #Drift
Keypoints
- From August 8–18, 2025, a threat actor exploited compromised OAuth credentials in the Salesloft Drift integration to access customer Salesforce instances.
- The attacker performed mass exfiltration of sensitive Salesforce objects including Account, Contact, Case, and Opportunity records.
- Post-exfiltration activity included scanning the stolen data for credentials and deleting Salesforce queries to hide evidence.
- Salesloft revoked all active access and refresh tokens for the Drift application and notified impacted customers.
- Unit 42 recommends immediate investigation of Drift integrations, Salesforce logs (including Event Monitoring and UniqueQuery), IdP logs, and network logs for suspicious IPs and indicators like a Python/3.11 aiohttp/3.12.15 user agent.
- Organizations should rotate exposed credentials, scan repositories for secrets (Trufflehog, GitLeaks), and scrutinize exfiltrated data for keys or login URLs.
- Follow best practices: verify unsolicited requests, implement Zero Trust and least privilege, and engage Unit 42 Incident Response if compromised or for proactive assessment.
MITRE Techniques
- [T1078] Valid Accounts – Threat actor used compromised OAuth credentials for the Salesloft Drift integration to access Salesforce (“…a threat actor utilized compromised OAuth credentials to exfiltrate data…”).
- [T1537] Transfer Data to Cloud Account – Actor exfiltrated large volumes of Salesforce object data using API access, consistent with automated bulk extraction (“…performed mass exfiltration of sensitive data from various Salesforce objects…”).
- [T1086] PowerShell (or [T1059.006] Command and Scripting Interpreter: Python) – Use of automated Python tooling indicated by the user agent string Python/3.11 aiohttp/3.12.15 to perform high-throughput data exfiltration (“…presence of the user agent string Python/3.11 aiohttp/3.12.15 associated with these login events…”).
- [T1070] Indicator Removal on Host – Attacker deleted queries to hide evidence of the jobs they ran as an anti-forensics technique (“…deleted queries to hide evidence of the jobs they run…”).
- [T1530] Data from Cloud Storage Object – Exfiltration targeted Salesforce objects (Account, Contact, Case, Opportunity) by querying and extracting fields (“…identify which Salesforce objects (e.g., Account, Contact, Opportunity, Case, etc.) and which fields within those objects the attacker queried.”).
Indicators of Compromise
- [User Agent] Suspicious client string – Python/3.11 aiohttp/3.12.15 (indicative of automated, high-volume data exfiltration).
- [Application Tokens] Compromised OAuth credentials – compromised access and refresh tokens for the Drift Connected App (Salesloft revoked tokens for affected customers).
- [Network IPs] Suspicious source IPs – known threat actor IP addresses and multiple Tor exit nodes referenced in Salesloft notification (examples not provided in article; Salesloft list includes Tor exit nodes and other IPs).
- [Salesforce Objects] Targeted data types – Account, Contact, Case, Opportunity records were exfiltrated (examples of fields not listed; review UniqueQuery events to identify specific fields).
- [Logs/Events] Audit artifacts to hunt – Salesforce Event Monitoring logs, UniqueQuery events, login history and API access logs showing suspicious activity during Aug 8–18, 2025 (look for the above user agent and suspicious IPs).
Read more: https://unit42.paloaltonetworks.com/threat-brief-compromised-salesforce-instances/