Cloud Security Office Hours Banner

Salesloft Drift / UNC6395 2025

Step-by-step kill chain mapped to MITRE ATT&CK Cloud, sourced from official post-mortems and primary technical analyses.

August 2025 Critical Salesforce

Salesloft Drift / UNC6395 - GitHub Compromise → Stolen Drift OAuth Tokens → Bulk SOQL Exfil → Secret-Mining → 700+ Orgs Hit

A threat actor tracked as UNC6395 (also referenced as GRUB1) stole OAuth refresh and access tokens tied to the Salesloft Drift third-party chat integration and used them to reach hundreds of organizations' Salesforce instances. Over roughly ten days in August 2025 the actor ran automated OAuth-authenticated SOQL queries to bulk-export Salesforce objects, then combed the exported data for embedded secrets - AWS access keys (AKIA...), Snowflake tokens, VPN credentials, and passwords - to enable downstream compromise. The root cause was traced back to a compromise of Salesloft's GitHub environment (March-June 2025) that let the actor pivot into the Drift AWS environment and harvest the integration's customer OAuth tokens. 700+ organizations were potentially affected, including major security vendors, making this one of the largest SaaS supply-chain incidents of 2025.

700+ organizations potentially affected
Aug 8-18, 2025 ~10-day exfiltration window
OAuth tokens stolen Drift integration credentials
Threat actor: UNC6395 / GRUB1 (tracked by Google GTIG / Mandiant)
📄 Google Threat Intelligence Group - Salesloft Drift analysis ↗ 📄 Cloudflare - response to the Salesloft Drift incident ↗
🕵️ Recon & Upstream Compromise - Salesloft GitHub / Drift AWS
01
Actor accessed Salesloft's GitHub between March and June 2025, then pivoted into the Drift AWS environment to harvest customer OAuth tokens
T1552 - Unsecured Credentials

The upstream root cause was a compromise of Salesloft's GitHub account. From March through June 2025 the actor downloaded content from multiple private repositories, added a guest user, and established suspicious CI/CD workflows. From there the actor pivoted into the Drift AWS environment, where the OAuth access and refresh tokens issued to Drift's customer integrations were stored. Harvesting those tokens gave the actor pre-authenticated access to every downstream Salesforce tenant that had connected Drift - no victim-side credential theft required.

Upstream entry: Salesloft GitHub account (repos downloaded, guest user + workflows added)
Pivot: Salesloft GitHub → Drift AWS environment holding customer OAuth tokens
Dwell time: Undetected GitHub access March-June 2025 before the Salesforce campaign
GitHub CompromiseAWS PivotSupply ChainT1552
Initial Access - Stolen Drift OAuth Tokens
02
UNC6395 authenticated to victim Salesforce (and some Google Workspace) tenants using the stolen Drift OAuth tokens - no password or MFA challenge
T1528 - Steal Application Access Token

The stolen Drift OAuth refresh and access tokens were valid, pre-authorized application credentials, so the actor connected directly to each customer's Salesforce instance through the trusted integration - bypassing user login, MFA, and password controls entirely. Because the access rode an approved third-party tenant integration, activity blended in with normal Drift API traffic. Separately, on August 9 the actor abused OAuth tokens for the Drift Email integration to read email from a very small number of Google Workspace accounts that had specifically connected Drift.

Credential type: OAuth refresh + access tokens for the Drift integration (T1528)
Auth path: Trusted third-party app connection - no user login, MFA, or password prompt
Also abused: Drift Email OAuth tokens → small number of Google Workspace mailboxes (Aug 9)
OAuth Token TheftDrift IntegrationNo MFA PathT1528
🔍 Discovery - Enumerate Salesforce Objects
03
Actor enumerated accessible Salesforce objects and mapped high-value tables via the API
T1213 - Data from Information Repositories

Operating through Salesforce's APIs with Python-based tooling, UNC6395 enumerated the standard objects reachable by the compromised Drift integration to find where sensitive text lived. The actor focused on records that commonly hold free-text and credential-bearing content - Cases (support ticket bodies), Accounts, Contacts, Users, and Opportunities. Support case text was a prime target because customers routinely paste keys, tokens, and passwords into tickets. The actor used custom user-agent strings to appear like a legitimate integration and reduce the chance of anomaly detection.

Objects targeted: Case, Account, Contact, User, Opportunity
Why Cases: Support case bodies frequently contain pasted secrets and credentials
Evasion: Custom user-agent strings to mimic legitimate Drift API traffic
Object EnumerationSalesforce APISupport CasesT1213
📤 Exfiltration - Bulk SOQL Queries
04
Bulk SOQL queries and Bulk API exports pulled large volumes of records out of each tenant
T1530 - Data from Cloud Storage

The actor executed automated Salesforce Object Query Language (SOQL) queries and used the Bulk API to export large volumes of records from the targeted objects across hundreds of tenants. The queries and jobs ran through the same OAuth-authenticated integration channel, so exfiltration looked like ordinary bulk integration activity. Over the roughly ten-day window (August 8-18, 2025) the actor systematically drained support-case text, contact, and account data from 700+ organizations. Salesforce event logs retained the queries for post-incident forensics, but no real-time DLP alert fired during the bulk pulls.

Method: Automated SOQL queries + Salesforce Bulk API export jobs
Channel: OAuth-authenticated Drift integration - blends with normal bulk API traffic
Scope: 700+ tenants drained over ~10 days (Aug 8-18, 2025)
Detection gap: No DLP or rate-limit alert on large SOQL / Bulk API exports
SOQLBulk APIData ExfiltrationT1530
💰 Impact - Mine Exports for Embedded Secrets
05
Exfiltrated data was mined for embedded secrets to enable downstream cloud compromise
T1552 - Unsecured Credentials

The campaign's real objective was credential harvesting, not the Salesforce data itself. UNC6395 scanned the stolen exports - likely with scripts and regex - for patterns that reveal secrets: AWS access key IDs (AKIA...), Snowflake tokens, VPN credentials, and password strings pasted into support cases. Any live secret found became a foothold into a victim's cloud estate, turning one SaaS integration breach into potential AWS and data-warehouse compromise. On August 20, 2025 Salesloft and Salesforce revoked all active Drift OAuth tokens and Salesforce removed the Drift app from AppExchange pending investigation.

Secrets hunted: AWS keys (AKIA...), Snowflake tokens, VPN credentials, plaintext passwords
Goal: Downstream compromise - pivot from SaaS data into AWS / Snowflake environments
Containment: Aug 20, 2025 - Salesloft & Salesforce revoked Drift tokens; Drift pulled from AppExchange
Secret MiningAKIA KeysDownstream CompromiseT1552

🛡 How to Defend Against This Chain

Inventory and scope every third-party OAuth integration connected to your SaaS tenants. Maintain a live register of connected apps in Salesforce, Google Workspace, and other SaaS platforms, and grant each the minimum OAuth scopes it actually needs. A chat widget should not carry broad read access to every Case, Account, and User object - narrow scopes shrink what a stolen token can reach.
Deploy SaaS Security Posture Management (SSPM) to watch integration behavior, not just user logins. An IAM-plus-SSPM approach that baselines each integration's normal API volume, objects, and user-agent can flag the anomaly here - a Drift token suddenly running bulk SOQL exports across every object. Feed connected-app and API telemetry into your SIEM.
Never store secrets in support cases, CRM notes, or free-text SaaS fields. This breach was devastating because customers had pasted AWS keys, Snowflake tokens, and passwords into Salesforce Cases. Use a dedicated secrets manager, scan CRM and ticketing free-text for credential patterns (AKIA, token=, password:), and auto-redact or block them at ingestion.
Rotate and short-lease integration tokens, and revoke aggressively on any provider incident. Long-lived OAuth refresh tokens are a standing key to your data. Prefer short token lifetimes, rotate integration credentials regularly, and when a SaaS provider discloses a compromise, immediately revoke that app's tokens and remove it from allowlists rather than waiting for guaranteed impact confirmation.
Assume any exposed key is burned and rotate downstream credentials. Because the actor mined exports for embedded secrets, every AWS access key, Snowflake token, or password that ever touched an affected Salesforce or Workspace tenant should be rotated and monitored. Review CloudTrail and Snowflake query history for use of any potentially exposed credential after the exposure window.

Related defense topics