Mandiant UNC6040 identity verification guidance
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Mandiant released mitigation guidance after repeated UNC6040 compromises of Salesforce instances, urging organizations to use live video identity proofing and out-of-band verification to reduce vishing-driven account takeover risk. The advice also targets help-desk and third-party access workflows that attackers have been abusing to steal credentials and data. It matters because the observed intrusions relied on social engineering, not a Salesforce flaw, so identity controls are the main defensive barrier.
Related Happenings
Healthcare phishing defense guidance for VPN MFA and continuous training
Defensive Guidance
First: 22.05.2026 16:17
Last: 22.05.2026 16:17
Sources 1
About this happening:
Healthcare defenders were urged to treat **phishing** as a top priority, which matters because social engineering is a direct path to **credential abuse** in clinical environments...
Healthcare phishing defense guidance for VPN MFA and continuous training
Defensive GuidanceAbout this happening: Healthcare defenders were urged to treat **phishing** as a top priority, which matters because social engineering is a direct path to **credential abuse** in clinical environments...
Microsoft AiTM payroll pirate attack mitigation
Advisory/Mitigation
First: 10.04.2026 14:56
Last: 10.04.2026 14:56
Sources 1
About this happening:
**Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Microsoft AiTM payroll pirate attack mitigation
Advisory/MitigationAbout this happening: **Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
ShinyHunters widespread Okta SSO data theft campaign
Campaign
First: 03.04.2026 20:41
Last: 03.04.2026 20:41
Sources 1
About this happening:
**ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...
ShinyHunters widespread Okta SSO data theft campaign
CampaignAbout this happening: **ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...
Signal and WhatsApp anti-phishing account-hardening guidance
Defensive Guidance
First: 21.03.2026 15:17
Last: 21.03.2026 15:17
Sources 1
About this happening:
A **UK National Cyber Security Centre (NCSC)** alert on **March 31** warned that **Russia-based actors** are increasing **targeted attacks** against **high-risk individuals** usin...
Signal and WhatsApp anti-phishing account-hardening guidance
Defensive GuidanceAbout this happening: A **UK National Cyber Security Centre (NCSC)** alert on **March 31** warned that **Russia-based actors** are increasing **targeted attacks** against **high-risk individuals** usin...
Timeline
-
02.10.2025 00:17 2 articles · 7mo ago
Mandiant issues UNC6040 Salesforce hardening guidance
Technical Analysis UpdateMandiant released guidance for organizations facing UNC6040 vishing campaigns against Salesforce instances, warning that attackers trick employees into visiting a modified Salesforce Data Loader app, stealing sensitive data and credentials, and sometimes extending access into Okta and Microsoft 365. The recommended defenses center on not trusting caller identity by default, using multiple verification methods, applying live video identity proofing, adding out-of-band verification for high-risk requests such as MFA resets, and tightening handling of third-party support calls and suspicious communications reporting.
Show sources
- Google Sheds Light on ShinyHunters' Salesforce Tactics — www.darkreading.com — 02.10.2025 00:17
- Google Sheds Light on ShinyHunters' Salesforce Tactics — www.darkreading.com — 02.10.2025 00:17