In recent days, a fake version of Salesforce has been exploited to carry out a particularly sophisticated vishing attack. Cybercriminals, posing as internal operators or company technicians, contacted victims by phone with the aim of obtaining confidential access credentials.
Using seemingly legitimate tools, they managed to penetrate the systems of some organisations, demonstrating how voice phishing can be a real threat even for major cloud players. The incident highlights the importance for companies of all sizes to strengthen verification protocols and raise employee awareness of this type of fraud.
Salesforce has confirmed that there is no vulnerability in its platform and that the incident is the result of social engineering attacks directed at users, not an internal technical problem with its systems.
Vishing & human hacking
Vishing (voice phishing) is an advanced social engineering technique in which the malicious actor exploits voice communication channels – typically VoIP spoofing or simulated calls from trusted numbers – to carry out an attack based on the cognitive manipulation of the target user. The primary objective is to exfiltrate credentials or induce the target to perform actions that violate security policies, such as bypassing MFA systems, releasing session tokens or executing remote commands.
Unlike purely technical attack vectors (e.g., software vulnerability exploits), vishing relies on exploiting the psychological surface attack, i.e., the set of behavioural and procedural weaknesses of the individual. This type of threat is particularly effective in high-pressure decision-making contexts and requires multi-level defensive measures: security training based on real-life scenarios, cross-checking procedures on out-of-band channels, and the implementation of zero-trust controls even in non-digital operational flows.
Vishing: how it works
In the case observed, the malicious actors carried out a targeted social engineering campaign based on direct voice contacts, impersonating authorised Salesforce technicians or members of the internal IT staff of the target companies. Through a well-orchestrated impersonation strategy – supported by voice spoofing, pre-acquired knowledge via OSINT and a professional tone of communication – the threat actors created a sense of operational urgency, prompting users to install a trojanised version of the Salesforce Data Loader client, distributed via counterfeit landing pages with a high level of visual spoofing (UI mirroring and seemingly legitimate certificates).
Once the payload was executed, the compromised software enabled persistence on internal endpoints, privilege escalation and, in some cases, credential exfiltration via keylogging and credential harvesting from unprotected vaults. The attack highlights a combination of human compromise and supply chain manipulation, with significant impacts on data governance, identity security and the integrity of federated authentication flows.
Vishing: the risks involved
Vishing attacks pose a serious threat to the integrity of corporate information systems, as they enable unauthorised and untraceable access to sensitive data by compromising the human component. Once credentials have been obtained or the user has been tricked into executing malicious software, threat actors can perform lateral movement, privilege escalation and persistence on critical infrastructure, evading traditional detection systems.
In the context of the Salesforce incident, the potential impact was particularly significant, as the platform manages strategic, information-rich data (CRM, sales pipeline, PII, financial data). Any compromise of this exposure surface can enable chain attacks (e.g., third-party compromise, internal spear phishing, shadow IT), generate reputational and legal damage, and facilitate extortion activities through double extortion techniques.
How to mitigate the risk
Protection against vishing attacks requires a layered approach that integrates technological control, process governance, and human awareness. The following measures represent established best practices in the context of corporate cybersecurity:
- Continuous and contextualised security awareness training: implement advanced training programmes based on real scenarios and attack simulations (red teaming, phishing simulation), focused on cognitive detection of social engineering techniques.
- Multi-factor authentication (MFA): apply robust MFA mechanisms (preferably FIDO2/WebAuthn) to segment access and contain lateral movement even in the event of initial digital identity compromise.
- Standardization of procedures and response playbooks: define SOPs (Standard Operating Procedures) for handling suspicious voice contacts, with mandatory out-of-band verification, tracked escalation and immediate reporting. Conduct human-oriented penetration tests (social engineering audits) on a regular basis.
- Integration of MDR (Managed Detection & Response) solutions: rely on MDR services with 24/7 coverage for proactive detection and response to indicators of compromise related to social engineering, identity abuse and anomalous behaviour on endpoints.
- Operational threat intelligence: correlate suspicious events with real-time intelligence feeds, analysing TTPs (Tactics, Techniques and Procedures) associated with vishing and voice spoofing campaigns to anticipate trends and strengthen your defensive posture.
Effectively countering complex threats such as vishing requires an integrated approach that combines advanced technologies, managed security services and, above all, highly specialised human skills. Investing in ongoing staff training, defining structured response processes and working alongside expert partners enables organisations to build a resilient defensive posture, significantly reducing the risk of compromise, financial loss and reputational damage.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
