The Cost of a Call: From Voice Phishing to Data Extortion

This report details a financially motivated vishing campaign attributed to UNC6040 that targets IT support personnel to gain access to Salesforce environments, often using modified Data Loader clients to exfiltrate data and later pursue extortion. It describes operational behaviors (small test queries followed by bulk exfiltration, customized tool names matching social engineering pretexts), highlights the growing trend of targeting support staff, and provides mitigations including least privilege for data-access tools, strict connected app management, IP restrictions, Salesforce Shield monitoring, and universal MFA.