When SaaS Trust Becomes a Threat: Insights from the Salesloft Drift Compromise

A recent breach at Salesloft shows how attackers can use trusted tools against the very companies that rely on them. Attackers used OAuth tokens for the “Drift” chat agent integration with Salesforce to gain access to sensitive customer data in recent days. The series of incidents highlights how connections between applications can create unseen risks for many organizations.

Initial probing into the break-in revealed the threat actors accessed Salesloft’s GitHub account between March and June of this year, according to a Salesloft advisory. They added a guest user to establish workflows, downloaded content from repositories, and accessed Drift’s AWS environment to obtain OAuth tokens.

As of yet, it’s not clear who exactly the attackers are. Some reporting indicates Shiny Hunters are behind the break-in, while others note that it’s still under investigation.

SecurityScorecard’s STRIKE threat intelligence team expects new victim disclosures to continue emerging as investigations progress, exposing the soft underbelly of supply chain security. It’s as important as ever to prepare practically for the threat at hand, what we know about it, and what’s likely to come next.

Attacker Intent

The intent of the attackers appears clear. They wanted to use or sell customer data taken from Salesforce. This data included contact information and support records that could fuel phishing or social engineering campaigns.

When attackers obtain contact information and other related data, they can improve their spear-phishing campaigns’ effectiveness. Even if one individual piece of information on its own is not sensitive, when pieced together with other information, it can provide malicious actors a potent combination for targeting. Using accurate and up-to-date names, accounts, ticket numbers, or credentials can make social engineering operations go off without a hitch.

SecurityScorecard’s STRIKE threat intelligence team assesses that the knock-on social engineering tied to this operation poses a near-term risk to impacted organizations and their clients. This follow-on activity poses the most immediate threat.

The attackers’ apparent focus on monetization is crucial as well. Customer records are highly valuable because they make phishing far more convincing, so the attack may provide resale value to the threat actors.

Technical Capability

The actors showed moderate technical skills. They knew how to work with OAuth tokens and how to query Salesforce through its APIs. Their apparent ability to exploit trusted app integrations shows careful planning and experience.

This demonstrates not just opportunism but deliberate tradecraft and a capable actor. The attackers did not stumble into Salesforce; They navigated it using OAuth theft. That path raises concern for future incidents like it.

The Opportunity and The Ripple Effect

The opportunity came from the Drift to Salesforce connection. Once the attackers had valid tokens, they could move into Salesforce without needing to breach it directly. Downstream tenants in Salesforce were impacted in this way.

This is what makes SaaS integrations risky. A single point of trust can open doors across many organizations, and that widespread exposure can cause several kinds of damage.

As mentioned earlier, the hackers can now use real names, accounts, and ticket numbers in their phishing. This makes scams far more believable and dangerous.

There may also be regulatory or contractual consequences for affected entities. Depending on what types of data the attackers accessed or stole, companies could face disclosure obligations which could prompt additional scrutiny.

ATT&CK Techniques Observed

The STRIKE team identified the following MITRE ATT&CK techniques as most relevant to this breach:

• Initial Access / Lateral via SaaS: Trusted Relationship (T1199), abuse of a third-party SaaS integration to reach Salesforce.
• Credential Access / Authentication Bypass:
  • Use Alternate Authentication Material (T1550.001), theft and reuse of OAuth tokens.
  • Valid Accounts (T1078), use of legitimate app-level credentials to access Salesforce.
• Collection / Discovery: Data from Information Repositories (T1213), querying Salesforce CRM data such as contacts.
• Exfiltration: Exfiltration Over Web Service / API (T1567), pulling data through Salesforce APIs under the OAuth grant.
• Follow-on Effects (Anticipated): Phishing for Information (T1566), social engineering attacks.
  

These mappings show how the attackers relied on legitimate mechanisms to further their operation, making detection much harder for traditional security tools.

Defensive Steps

The most urgent action now is to prepare for phishing attacks. Organizations should warn employees and customers about targeted lures and strengthen email defenses. These steps can reduce the chance that stolen data leads to further compromise.

Organizations should review employee training and strengthen where needed to address the present-day threat as well.

Companies should also revoke and rotate OAuth tokens tied to integrations and review Salesforce API/audit logs for unusual activity. These reviews can help identify suspicious behavior before it can metastasize and cause further damage.

Salesloft has released an advisory noting that Drift admins should reauthenticate their Salesforce connection. 

The STRIKE team has moderate to high confidence in the described attack chain. We have low confidence in any claims of attribution for now.

On Trust

This event demonstrates the fallout of SaaS supply chain compromises and just how vulnerable our supply chains are. OAuth tokens and trusted integrations are valuable for companies, which is exactly why they’re valuable for attackers, too. And a problem with one vendor can quickly spread to many others through app-to-app trust. That ripple effect is what makes incidents like this so damaging.

Bottom line: Organizations must protect and monitor integrations as closely as they do passwords and encryption keys.

Contact STRIKE for Incident Response

SecurityScorecard’s STRIKE Team has access to one of the world’s largest databases of cybersecurity signals, dedicated to identifying threats that evade conventional defenses. With proactive risk management and a rapid response approach, SecurityScorecard offers companies protection against third-party risks and the ability to counter active threats.

Discover how SecurityScorecard and its STRIKE Team can strengthen your enterprise’s security. 

For STRIKE media inquiries, contact us here.