Google has revealed a new cyberattack campaign that mixes phone scams with cloud hacking. This time, even Google was not fully safe. One of its own Salesforce instances was breached during the attack. It was not a major internal breach, but it shows how serious this threat is and how easily even big companies can be tricked.
In a detailed blog post from the Google Threat Intelligence team, Google has confirmed that a financially motivated group, UNC6040, used voice phishing (vishing) tactics to trick employees into giving up access to company Salesforce systems. Once in, attackers quietly stole data and, in some cases, returned months later with extortion threats.
This was not some complex software exploit. The attack started with a simple phone call. A fake IT support agent, usually speaking English fluently, called an employee and guided them through what looked like a legitimate Salesforce setup. But the app they were asked to approve was not from Salesforce. It was a modified Data Loader application controlled by the hackers.
Once the victim unknowingly approved the app, the attackers could access and download Salesforce data in bulk without triggering any alarms.
Google says the hackers used custom Python-based tools that mimicked the Data Loader app but with hidden capabilities. Some apps were even named things like “My Ticket Portal” to match the fake IT support story used in the call. The stolen data was then used by another group, UNC6240.
In Google’s case, the targeted Salesforce instance held contact information and business details for small and medium businesses. The company confirmed that only a limited set of basic data was accessed before they cut off the attacker’s access.
But for other companies, the damage could be worse. Google warns that attackers have targeted other cloud platforms too, including Okta and Microsoft 365, once they get an initial foothold through Salesforce.
This campaign is a reminder that cloud security is a shared responsibility. Salesforce and similar platforms provide strong security tools, but it is up to companies to configure them properly and train employees to resist social engineering.
The scary part is how this attack was performed. There is no malware involved. No code injection. Just a smooth-talking scammer pretending to help you with a tech issue. And it works. What is even more worrying is the long delay between the initial breach and the extortion attempt. That gap gives attackers time to sell, share, or reuse stolen data, and makes it harder for victims to connect the dots.
Google suspects that these attackersare preparing to launch a public data leak site. If true, we could see a wave of leaked business data, not just from large enterprises but also small firms who never realized they were compromised.
Companies will need to tighten Salesforce access controls, restrict connected apps, and train staff to be suspicious of anyone asking for credentials or approval codes.
