Google unmasks ‘UNC6040’ vishing gang targeting Salesforce users
Google’s Threat Intelligence Group (GTIG) has unmasked UNC6040, a financially-driven gang that runs English-language voice-phishing (vishing) campaigns. Posing as IT support staff, callers persuade employees to install or approve a doctored version of Salesforce’s Data Loader. Once authorised, the tool siphons corporate Salesforce data, after which the attackers pivot into Okta, Workplace and Microsoft 365 for wider theft. Months later, victims may face extortion demands, with UNC6040 claiming links to the ShinyHunters crime ring. The group shares tactics with the loose collective known as “The Com”, which includes Scattered Spider. Salesforce stresses that no platform flaws were exploited—the breaches rely entirely on social engineering.
Who are UNC6040?
Google’s security analysts have flagged a new crime outfit, UNC6040, that specialises in telephone-based phishing. Operators pose as help-desk staff and sound convincing enough to fool English-speaking employees.
Their tactic
Victims are steered to Salesforce’s “Connected App” page and asked to approve a look-alike Data Loader app (sometimes branded “My Ticket Portal”). Approval hands the crooks API access to vast troves of customer data.
What happens next?
Stolen records are exfiltrated and, weeks later, the gang resurfaces with an extortion threat, citing links to the ShinyHunters leak site for extra pressure. They also roam laterally into Okta, Workplace and Microsoft 365 accounts, broadening the damage.
Links to other groups
GTIG notes clear overlaps with the cyber-crime collective “The Com”—home to Scattered Spider—suggesting shared tooling or personnel.
No Salesforce hack required
Salesforce insists its platform remains secure; the breach succeeds only because users are tricked into granting access. Multi-factor authentication, IP restrictions and staff awareness remain the best defences.
How to protect your organisation
• Warn staff about unsolicited “IT support” calls.
• Lock down the creation of new Connected Apps.
• Monitor for unexpected Data Loader activity.
Review Okta and M365 logs for unusual log-ins.