A sophisticated cybersecurity campaign leveraging voice phishing (vishing) has evolved into a high-stakes data extortion threat. Tracked as UNC6040 and UNC6240 by Google Threat Intelligence, the operation targeted Salesforce environments, abusing social engineering tactics to gain access, exfiltrate business data, and initiate extortion under the guise of “ShinyHunters.” The shift from phishing call to ransom demand underscores a dangerous evolution in financially motivated attacks and it’s happening now.
Beginning in early 2025, Google’s Threat Intelligence Group (GTIG) identified a cluster of intrusions orchestrated by UNC6040, a financially motivated group that uses vishing to breach organizational security perimeters. Their operators impersonated IT support staff over the phone, convincing targeted employees-mostly in English-speaking divisions of multinational firms-to authorize a malicious app within Salesforce.
The attackers guided victims to a connected apps setup page where they approved rogue apps-often branded as fake ticketing portals or support tools-that functioned like Salesforce’s Data Loader, enabling large-scale data exfiltration.
“These attacks didn’t exploit Salesforce vulnerabilities,” said GTIG researchers. “They exploited human trust.” Google Threat Intelligence, 5 August 2025
A Closer Look at the Attack Chain
Initial Access:
- Vishing call using anonymized IPs (Mullvad VPN, TOR).
- Target guided to authorize a modified Data Loader via Salesforce connected apps.
Credential Harvesting & Lateral Movement:
- Victims unknowingly gave up credentials and MFA codes.
- Attackers accessed cloud platforms like Okta and Microsoft 365.
Exfiltration:
- Custom Python scripts and renamed apps like “My Ticket Portal” pulled sensitive records from Salesforce.
- Attackers often tested small queries before large-scale downloads.
Infrastructure:
- Hosted phishing panels mimicking Okta portals.
- Used compromised email accounts to register malicious apps.
Extortion Phase: UNC6240 Emerges
Several months post-breach, a second cluster-UNC6240-initiated extortion campaigns. Employees received emails or calls demanding Bitcoin within 72 hours, threatening public data leaks. The attackers claimed affiliation with ShinyHunters, a well-known data breach actor.
Known Extortion Email Addresses
shinycorp@tuta[.]comshinygroup@tuta[.]com
Google confirmed that one of its internal Salesforce instances, containing basic business contact data for SMBs, was impacted during a narrow window in June. The stolen data was limited to non-sensitive information and mitigations were immediately applied.
Global Context & MEA Considerations
The campaign’s focus on cloud-based SaaS platforms like Salesforce is globally relevant, but organizations in MEA-many of which are undergoing rapid digital transformation-may be particularly vulnerable. Vishing campaigns can easily cross borders, and regional IT support centers may lack the layered security training needed to defend against socially engineered calls.
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|---|
| Initial Access | Phishing: Voice Phishing |
| Credential Access | Adversary-in-the-Middle |
| Persistence | Create Account |
| Command & Control | Web Protocols |
| Collection | Email Collection via App |
| Exfiltration | Exfiltration Over C2 Channel |
Actionable Takeaways for Security Leaders
- Train employees to detect voice phishing, especially IT staff and Salesforce users.
- Restrict “API Enabled” and “Manage Connected Apps” permissions to only essential personnel.
- Implement IP allowlisting for Salesforce logins and connected app authorizations.
- Enable MFA and educate users on social engineering tactics designed to bypass it.
- Use Salesforce Shield’s Transaction Security Policies to detect large data downloads.
- Audit and approve all connected apps; block unauthorized or modified Data Loaders.
- Monitor for suspicious behavior patterns using event monitoring and centralized SIEM logs.
- Rotate credentials immediately after suspected phishing events.
- Engage legal/compliance teams when extortion attempts occur; do not engage alone.
- Review cloud access policies and consider behavior-based detection tools.
Conclusion: Why This Matters Now
The UNC6040/UNC6240 campaign marks a chilling convergence of traditional vishing with modern cloud exploitation and ransomware-like extortion. This escalation-exploiting trust, then weaponizing stolen data months later-shows that security threats don’t end when the call hangs up. As organizations continue adopting SaaS platforms, proactive controls, user education, and visibility across cloud apps will be essential defenses against these silent, persistent attackers.
