A SaaS Security nightmare for IT managers everywhere recently came true. Attackers leveraged legitimate OAuth tokens from Salesloft’s Drift chatbot integration with Salesforce to silently exfiltrate customer data from the popular CRM platform, according to Google Threat Intelligence Group.
The sophisticated attack exposes a critical blind spot that most security teams don’t even know they have.
When SaaS Integrations Become Attack Vectors
Between August 8-18, 2025, the threat actor Google calls UNC6395 targeted the OAuth-based connection between Drift and Salesforce—an integration that thousands of sales teams rely on daily to sync marketing conversations and lead data.
The attacker understood a key fact about modern business: many parts run on SaaS integrations, not just individual applications.
OAuth tokens act like digital keys between SaaS applications. Once compromised, they provide sustained access without triggering typical user authentication alerts.
What made this attack problematic was its use of legitimate tools. No unusual login patterns, no suspicious file downloads, just normal API calls using valid integration tokens.
Salesloft and Salesforce have now revoked all active access and refresh tokens with the Drift application, and Salesforce removed the Drift application from AppExchange pending investigation.
The Hidden Risk of SaaS-to-SaaS Integrations
Typical SaaS security tools excel at monitoring user access patterns or flagging unusual login locations. But they often miss out on today’s reality where business-critical data flows constantly between SaaS applications.
Consider your typical sales team setup: Drift talks to Salesforce, which connects to HubSpot, which integrates with Slack, which syncs with Google Workspace. Each connection typically uses OAuth tokens that essentially grant one application permission to act on behalf of another.
These integration points create a potential weakness where a single compromised token can provide access far beyond its original scope. An attacker who compromises a marketing automation integration might suddenly have access to customer records, financial data, or internal communications.
Most SaaS security tools focus on user-to-SaaS connections. They’re great at spotting when the CFO logs in from an unusual location, or when someone tries to download a file they shouldn’t, but they can miss entirely when a compromised integration token starts exporting customer databases.
Integration Detection
Here’s where the Drift-Salesforce attack becomes a perfect case study for what modern SaaS security should look like.
Real-time Integration Monitoring: Map and monitor SaaS-to-SaaS connections with API integration to discover all applications, services, and tokens, and flag unusual data export volumes, even though the API calls themselves were seemingly legitimate.
Behavioral Analytics for OAuth Tokens: Establish baselines for how each integration typically behaves, then take action in the form of alerts or automated containment when behavior strays from that baseline.
Data Movement Visibility: Track large data movements for visibility and detecting exfiltration attempts quickly.
Beyond Detection: Comprehensive SaaS Security Strategy
The Drift-Salesforce incident highlights why organizations need to rethink their approach to SaaS security. It’s not enough to secure individual applications; you need visibility and control over the entire SaaS ecosystem.
SaaS Security, part of Check Point SASE, addresses three critical areas:
Complete SaaS Discovery: Automatically discover all SaaS applications, shadow IT, and integration points across your organization. Before you can secure your SaaS environment, you need to know what’s actually there.
Integration Risk Assessment: Not all SaaS connections carry the same risk. The solution prioritizes threats based on data sensitivity, access scope, and behavioral patterns. Your Salesforce-to-finance system integration gets different monitoring than your Slack-to-calendar connection.
Compliance Automation: With data privacy regulations like GDPR requiring organizations to track data flows, Check Point SaaS Security provides automated compliance management. This includes SaaS security posture management (SSPM) capabilities that continuously assess your SaaS configurations against security best practices and compliance frameworks.
Organizations that want to prevent similar incidents must start thinking about SaaS security as an ecosystem challenge, and not just an application-by-application problem.
As SaaS adoption accelerates and integration complexity grows, attacks like this will become more common. Are you ready with the SaaS visibility you need? Book a demo today to see how Check Point can help.
