A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach enterprise environments: picking up the phone and pretending to be IT support, simply called voice phishing (Vishing).
According to a new report from Google’s Threat Intelligence Group (GTIG), this actor has been impersonating internal tech staff in phone-based social engineering attacks. Their goal is to trick employees, mostly in English-speaking branches of multinational companies, into granting access to sensitive systems, particularly Salesforce, a widely used customer relationship management (CRM) platform.
How the Scam Works
UNC6040 doesn’t rely on exploits or security vulnerabilities. Instead, it counts on human error. The attackers call employees and walk them through approving a connected app inside Salesforce. But this isn’t just any app, it’s often a modified version of Salesforce’s legitimate Data Loader tool.
With this access, attackers can query and extract vast amounts of data from the targeted organization. In some cases, they disguise the tool as “My Ticket Portal,” a name aligned with the IT support theme of the scam.
Once access is granted, UNC6040 pulls data in stages. Sometimes, they start small to avoid detection, using test queries and limited batch sizes. If the initial probing goes unnoticed, they scale up the operation and begin large-volume exfiltration.
Extortion Comes Later
Interestingly, data theft doesn’t always lead to immediate demands. In several incidents, months passed before victims received extortion messages. During those messages, attackers claimed to be associated with the well-known hacking group ShinyHunters, a move likely aimed at increasing pressure on victims to pay up.
This delayed approach hints that UNC6040 might be working with other actors who specialize in monetizing stolen data. Whether they’re selling access or handing off the data for follow-up attacks, the long pause makes incident detection and response more complicated for security teams.
While the primary target is Salesforce, the group’s ambitions don’t end there. Once they gain credentials, UNC6040 has been observed moving laterally through corporate systems, targeting platforms like Okta and Microsoft 365. This broader access allows them to collect additional valuable data, deepen their presence, and build leverage for future extortion attempts.
Protecting Against These Attacks
GTIG advises taking a few clear steps to make these types of breaches less likely. First, limit who has access to powerful tools like Data Loader, only users who genuinely need it should have permissions, and those should be reviewed regularly. It’s also important to manage which connected apps can access your Salesforce setup; any new app should go through a formal approval process.
To prevent unauthorized access, especially from attackers using VPNs, logins and app authorizations should be restricted to trusted IP ranges. Monitoring is another key piece, platforms like Salesforce Shield can flag and react to large-scale data exports in real time. While multi-factor authentication (MFA) isn’t perfect, it still plays a major role in protecting accounts, especially when users are trained to spot tricks like phishing calls that try to get around it.
