HQ/EMEAFind out how we can help your business
The Federal Bureau of Investigation (FBI) has issued a security advisory highlighting recent malicious cyber activities targeting Salesforce environments. The alert provides critical Indicators of Compromise (IOCs) linked to threat clusters UNC6040 and UNC6395, both of which are associated with data theft and extortion operations. The agency urges organizations to proactively implement security measures to detect, block, and mitigate potential intrusions.
Rising Threats Against Salesforce Platforms
Both UNC6040 and UNC6395 have recently focused their attacks on organizations leveraging Salesforce, exploiting different vectors for initial access:
UNC6040 Campaign
- Tactics: Known for voice phishing (vishing) campaigns.
- Method: Operators impersonate IT support staff via phone calls, engaging in convincing social engineering to trick employees into sharing credentials or granting access.
- Target: Multinational corporations, particularly employees in English-speaking regions.
- Impact: Successful intrusions leading to unauthorized access and data exfiltration.
UNC6395 Campaign
- Tactics: Targeted OAuth integrations.
- Method: Exploited compromised OAuth tokens tied to the Salesloft Drift–Salesforce integration.
- Impact: Unauthorized access to Salesforce environments, enabling exfiltration of sensitive customer data.
Recommended Mitigation Strategies: The FBI strongly recommends that organizations take proactive measures to reduce the risk of compromise:
1. Employee Awareness & Training:
- Conduct phishing and vishing simulation exercises.
- Train staff to verify unexpected IT support calls and requests.
2. OAuth Token Security:
- Audit and monitor OAuth integrations with Salesforce and third-party applications.
- Revoke unused or suspicious tokens immediately.
3. Network & Endpoint Monitoring:
- Monitor for anomalous User-Agent strings and suspicious outbound connections.
- Compare internal logs with FBI-provided IOCs.
4. Access Controls:
- Enforce multi-factor authentication (MFA) for Salesforce and critical applications.
- Restrict access based on least privilege principles.
5. Incident Response Readiness:
- Maintain a clear escalation and response plan.
- Ensure logging and monitoring tools are tuned to detect Salesforce-related anomalies.
Indicators of Compromise (IOCs)
The FBI has shared a comprehensive list of IP addresses, URLs, and User-Agent strings tied to the campaigns. Security teams are advised to vet and monitor these indicators carefully before implementing blocking measures, to avoid disruption of legitimate operations.
UNC6040 – Notable IOCs:
IP Addresses:
- 13.67.175.79
- 20.190.130.40
- 20.190.151.38
- 20.190.157.160
- 20.190.157.98
- 23.145.40.165
- 23.145.40.167
- 23.145.40.99
- 23.162.8.66
- 23.234.69.167
- 23.94.126.63
- 31.58.169.85
- 31.58.169.92
- 31.58.169.96
- 34.86.51.128
- 35.186.181.1
- 37.19.200.132
- 37.19.200.141
- 37.19.200.154
- 37.19.200.167
- 37.19.221.179
- 38.22.104.226
- 45.83.220.206
- 51.89.240.10
- 64.94.84.78
- 64.95.11.225
- 64.95.84.159
- 66.63.167.122
- 67.217.228.216
- 68.235.43.202
- 68.235.46.22
- 68.235.46.202
- 68.235.46.151
- 68.235.46.208
- 68.63.167.122
- 69.246.124.204
- 72.5.42.72
- 79.127.217.44
- 83.147.52.41
- 87.120.112.134
- 94.156.167.237
- 96.44.189.109
- 96.44.191.141
- 96.44.191.157
- 104.223.118.62
- 104.193.135.221
- 141.98.252.189
- 146.70.165.47
- 146.70.168.239
- 146.70.173.60
- 146.70.185.47
- 146.70.189.47
- 146.70.189.111
- 146.70.198.112
- 146.70.211.55
- 146.70.211.119
- 146.70.211.183
- 147.161.173.90
- 149.22.81.201
- 151.242.41.182
- 151.242.58.76
- 163.5.149.152
- 185.141.119.136
- 185.141.119.138
- 185.141.119.151
- 185.141.119.166
- 185.141.119.168
- 185.141.119.181
- 185.141.119.184
- 185.141.119.185
- 185.209.199.56
- 191.96.207.201
- 192.198.82.235
- 195.54.130.100
- 196.251.83.162
- 198.44.129.56
- 198.44.129.88
- 198.244.224.200
- 198.54.130.100
- 198.54.130.108
- 198.54.133.123
- 205.234.181.14
- 206.217.206.14
- 206.217.206.25
- 206.217.206.26
- 206.217.206.64
- 206.217.206.84
- 206.217.206.104
- 206.217.206.124
- 208.131.130.53
- 208.131.130.71
- 208.131.130.91
URLs:
- Login[.]salesforce[.]com/setup/connect?user_code=aKYF7V5N
- Login.salesforce.com/setup/connect?user_code=8KCQGTVU
- https://help[victim][.]com
- https://login[.]salesforce[.]com/setup/connect
- http://64.95.11[.]112/hello.php
- 91[.]199[.]42[.]164/login
UNC6395 – Notable IOCs:
IP Addresses:
- 208.68.36.90
- 44.215.108.109
- 154.41.95.2
- 176.65.149.100
- 179.43.159.198
- 185.130.47.58
- 185.207.107.130
- 185.220.101.133
- 185.220.101.143
- 185.220.101.164
- 185.220.101.167
- 185.220.101.169
- 185.220.101.180
- 185.220.101.185
- 185.220.101.33
- 192.42.116.179
- 192.42.116.20
- 194.15.36.117
- 195.47.238.178
- 195.47.238.83
User-Agent Strings:
- Salesforce-Multi-Org-Fetcher/1.0
- Salesforce-CLI/1.0
- python-requests/2.32.4
- Python/3.11 aiohttp/3.12.15
Conclusion
The FBI’s latest advisory underscores the growing sophistication of financially motivated cybercriminal groups targeting widely used cloud platforms like Salesforce. With groups such as UNC6040 and UNC6395 employing both social engineering and technical exploitation, organizations must strengthen their defenses through a combination of awareness training, strict access controls, and vigilant monitoring.
Security teams should review the IOCs provided in the advisory and adapt their detection and prevention strategies accordingly.
For the full FBI advisory and the complete list of IOCs, visit: FBI IC3 Advisory – September 12, 2025 (PDF).
