UNC6395 Salesloft Drift Breach: Prevent SaaS Supply Chain Attacks

🗞️ UNC6395 Targets Salesforce via Salesloft Drift: What happened, why it happened, and what you can learn from it

UNC6395 and the Salesloft Drift Attack: Why Salesforce OAuth Integrations are a Growing Risk

August 26, 2025

Chad Knipschild, Director of Product Marketing, AppOmni

Is your Salesforce environment integrated with third-party apps like Salesloft Drift? If so, your organization could be at risk of the same SaaS breach techniques used by advanced threat actors like UNC6395.

In early August, UNC6395 (an assessed Chinese threat actor) leveraged compromised OAuth tokens from the Salesloft Drift integration to infiltrate Salesforce environments. By abusing trusted access, the attacker ran targeted SOQL queries across critical Salesforce objects such as Users, Accounts, and Cases, quietly exfiltrating highly sensitive business data: AWS keys, Snowflake tokens, passwords, and more. According to Google, over 700 organizations have been impacted.

This incident is just the latest example of SaaS supply chain attacks, where trust in one connected app can open the door to broader data exposure, and shows why app owners must stay vigilant.

What was the UNC6395 Salesloft Drift attack?

How the attack worked:

The threat actor ran SOQL queries on Salesforce objects like Users, Accounts, Opportunities, and Cases
Systematically exfiltrated sensitive credentials and secrets
Deleted query jobs after execution to hide activity (but audit logs still retained evidence)

Salesloft & Salesforce response actions:

On August 20, 2025, Salesloft and Salesforce revoked all Drift OAuth tokens.
Salesforce also removed the Drift application from the AppExchange pending further investigation.
Impacted organizations were directly notified by Salesforce.

Key observations:

Attackers ran reconnaissance queries to measure record volumes before selectively pulling detailed user and case data.
The primary objective appeared to be credential harvesting for downstream attacks.
Malicious activity was tied to suspicious User-Agent strings, Tor exit node traffic and VPS for data exfiltration.

Why this attack worked

The success of UNC6395 stemmed from common oversights in SaaS environments, exploiting weaknesses in the SaaS supply chain. The lateral movement is made possible by the abuse of admin OAuth tokens from lesser-known SaaS apps to compromise business-critical applications. Attackers are taking advantage of:

Persistent OAuth access: Unlike user sessions, OAuth tokens often don’t expire
Over-permissive access: Many apps request full data access and are approved without review
Limited monitoring: Most organizations don’t monitor or ingest logs or policies for SaaS applications
Unsecured secrets: Credentials stored insecurely in Salesforce fields amplified the impact

How to prevent SaaS supply chain attacks like UNC6395

To effectively prevent SaaS supply chain attacks, focus on these key actions:

Apply least privilege to service accounts. Know exactly what data these identities can access.
Scan for exposed secrets. Look for stored AWS keys, tokens, or passwords in your Salesforce schema and data records.
Manage data access, not just APIs. Limiting scopes isn’t particularly useful for Salesforce integrations. Instead, focus on monitoring and restricting which Salesforce Objects, Fields, and Records your accounts and integrations can access.
Correlate SaaS logs. Work with security teams to bring together Salesforce, Okta, Google, and Microsoft logs for better threat visibility.
Use behavioral analytics. Even if access looks normal, UEBA can surface when an app or user starts behaving suspiciously.

How AppOmni helps application owners stay ahead

AppOmni helps organizations prevent, detect, and respond to SaaS breaches. The platform delivers deep visibility into third-party OAuth integrations and enforces monitoring policies and controls to block suspicious activity such as mass exports or anomalous API calls.

By combining Threat Intelligence Enrichment with User and Entity Behavior Analytics (UEBA), AppOmni normalizes SaaS logs to quickly surface anomalies like mass SOQL queries, excessive OAuth token use, or unusual data exports. These capabilities enable early detection of adversarial campaigns, even when attackers attempt to evade detection or blend into normal workflows.

With immediate visibility and control over your applications, security teams can stay ahead of attackers. Explore our Salesforce handbook to learn more about recent attack patterns and how to stop them.

Wondering if a connected app like Drift could put your Salesforce data at risk? Request a complimentary risk assessment of your Salesforce Instance.

Solutions

Product

Featured Resources

What SaaS Apps Are You Really Using? And Why It Matters (More on SaaS Discovery)

Simplify SaaS Security: How Posture Scoring Empowers Teams to Optimize SSPM

Customers

Featured Resources

How the University of Cincinnati gained full visibility & control over SaaS security

How Rightmove secures and optimizes its expanding SaaS estate with AppOmni

Partners

Featured Resources

AppOmni Is Now Available in All Major Cloud Marketplaces

AppOmni Continues to Lead SaaS Security, Ends Fiscal Year with Strong Momentum

SaaS Security Resources

Featured Resources

Operationalize Zero Trust in Public Sector SaaS

Salesforce Industry Clouds: 0-days and Exploitable Misconfigs

UNC6395 and the Salesloft Drift Attack: Why Salesforce OAuth Integrations are a Growing Risk

What was the UNC6395 Salesloft Drift attack?

Why this attack worked

How to prevent SaaS supply chain attacks like UNC6395

How AppOmni helps application owners stay ahead

SaaS Security RoundUp

Company

Resources

Secured Apps

Use Cases