Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC6395 Salesloft Drift OAuth token theft campaign targeting Salesforce

Campaign
First reported
Last updated
Happening score
H score 52
3 unique sources, 3 articles

Summary

Hide ▲

The UNC6395 campaign is broader than first reported, with Salesloft Drift OAuth tokens now treated as potentially compromised across all integrations. Attackers used stolen tokens to reach Salesforce instances from August 8 to 18, 2025, showing a wider token-abuse operation than a single-point intrusion. Google also found limited email access to a small number of Google Workspace accounts on August 9, 2025 through the Drift Email integration. The scope raises risk for any organization that stores or connects authentication tokens to Drift and forces immediate credential review and integration shutdowns.

Related Happenings

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

Microsoft Entra device code phishing and vishing campaign

Campaign
First: 19.02.2026 14:30 Last: 19.02.2026 14:30 Sources 1

About this happening: A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...

Open Happening

Microsoft 365 device-code phishing defenses for OAuth token abuse

Defensive Guidance
First: 19.02.2026 14:30 Last: 19.02.2026 14:30 Sources 1

About this happening: Defenders are tightening **Microsoft 365** protections against **device code phishing** and **vishing**, a technique that can hand attackers valid **OAuth tokens** for **Microsoft...

Open Happening

Timeline

  1. 08.09.2025 23:17 1 articles · 8mo ago

    UNC6395 compromises Salesloft GitHub account and steals Drift AWS OAuth tokens

    Technical Analysis Update

    Salesloft said Mandiant determined UNC6395's intrusion into the company began as early as March with a compromised GitHub account, followed by data downloads from multiple Salesloft repositories and reconnaissance in the Salesloft and Drift environments between March and June. The intruders then reached Drift's Amazon Web Services (AWS) environment and stole OAuth tokens for Drift customers' technology integrations, extending the token-theft campaign beyond Salesforce.

    Show sources
    Open in new tab
  2. 03.09.2025 12:53 1 articles · 8mo ago

    Cloudflare, Palo Alto Networks, and Zscaler confirm Salesforce data theft in Salesloft Drift campaign

    Victim Impact Update

    Cloudflare, Palo Alto Networks, and Zscaler said their Salesforce instances were hacked as part of the Salesloft Drift data theft campaign that used compromised OAuth tokens to export data from hundreds of organizations between August 8 and August 18, 2025. Cloudflare said the stolen data included customer contact information and basic support case data and that it found 104 Cloudflare API tokens in the compromised data, while Zscaler said the exfiltrated Salesforce data included names, business email addresses, phone numbers, job titles, location details, licensing information, and plain text content from certain support cases.

    Show sources
    Open in new tab
  3. 29.08.2025 10:24 1 articles · 9mo ago

    Stolen Drift Email OAuth tokens access Google Workspace email accounts

    Exploitation Observed

    Stolen OAuth tokens for the Drift Email integration were used to access email from a small number of Google Workspace email accounts on August 9, 2025, and the access was limited to accounts specifically configured to integrate with Salesloft.

    Show sources
    Open in new tab
  4. 29.08.2025 10:24 1 articles · 9mo ago

    Google broadens Salesloft Drift campaign scope to all integrations

    Campaign Scope Update

    Google said the Salesloft Drift campaign was broader than first understood and now affects all integrations, warning customers to treat stored or connected authentication tokens as potentially compromised. Google Threat Intelligence Group and Mandiant linked the activity to UNC6395, said the attackers used compromised OAuth tokens associated with Salesloft Drift to target Salesforce instances, and described response actions that included notifying impacted users, revoking the specific OAuth tokens granted to the Drift Email application, disabling Google Workspace integration functionality, and Salesforce temporarily disabling Salesloft integrations.

    Show sources
    Open in new tab