FBI IOCs Salesforce Instances

The Federal Bureau of Investigation (FBI) has released a flash alert detailing the activities of two cybercriminal groups, UNC6040 and UNC6395, that are actively compromising Salesforce environments to steal data for extortion purposes.

The advisory, published by the FBI on September 12, 2025, provides indicators of compromise (IOCs) and defensive measures to help organizations protect against these ongoing campaigns that leverage distinct tactics to achieve their objectives.

Here is the detailed coverage of Lessons from Salesforce/Salesloft Drift Data Breaches – Detailed Case Study.

UNC6040’s Social Engineering Campaign

Since at least October 2024, the group tracked as UNC6040 has been using social engineering, particularly voice phishing (vishing), to gain initial access.

The threat actors call an organization’s help desk, posing as IT support staff, attempting to resolve a fake technical issue. During these calls, they persuade employees to either share their credentials or grant the attackers access to the company’s Salesforce instance.

A key tactic involves tricking employees into authorizing a malicious “connected app” within the Salesforce portal. This app is often a modified version of the legitimate Salesforce Data Loader tool.

google

By convincing a user with sufficient privileges to approve the application, UNC6040 gains persistent access via OAuth tokens issued by Salesforce.

This method can bypass security controls like multi-factor authentication (MFA) and password resets, as the activity appears to originate from a trusted, integrated application.

The attackers then use API queries to exfiltrate large volumes of data. Following the data theft, some victims have received extortion emails from the notorious “ShinyHunters” group, demanding payment to prevent the public release of the stolen information.

UNC6395 Exploits Third-Party Integration

The second group, UNC6395, employed a different method to breach Salesforce instances. In August 2025, these actors exploited compromised OAuth tokens associated with the Salesloft Drift application, an AI-powered chatbot that integrates with Salesforce.

By using these compromised third-party tokens, the group was able to access and exfiltrate data from the victim’s Salesforce environment, highlighting the security risks posed by third-party application integrations.

In response to this campaign, Salesloft and Salesforce collaborated to revoke all active access and refresh tokens for the Drift application on August 20, 2025. This action successfully terminated the threat actors’ access to the compromised Salesforce platforms through this specific vector.250912.pdf

The FBI has released an extensive list of IOCs, including IP addresses, malicious URLs, and user-agent strings associated with both UNC6040 and UNC6395, to help network defenders detect and block related activity. The agency strongly recommends that organizations take several steps to mitigate the risk of compromise.

Of course, here is the table with the Indicators of Compromise, with the IP addresses formatted as requested.

UNC6040 Indicators of Compromise

IoC TypeIndicator
IP Address13.67.175[.]79
IP Address20.190.130[.]40
IP Address20.190.151[.]38
IP Address20.190.157[.]160
IP Address20.190.157[.]98
IP Address23.145.40[.]165
IP Address23.145.40[.]167
IP Address23.145.40[.]99
IP Address23.162.8[.]66
IP Address23.234.69[.]167
IP Address23.94.126[.]63
IP Address31.58.169[.]85
IP Address31.58.169[.]92
IP Address31.58.169[.]96
IP Address34.86.51[.]128
IP Address35.186.181[.]1
IP Address37.19.200[.]132
IP Address37.19.200[.]141
IP Address37.19.200[.]154
IP Address37.19.200[.]167
IP Address37.19.221[.]179
IP Address38.22.104[.]226
IP Address45.83.220[.]206
IP Address51.89.240[.]10
IP Address64.95.11[.]225
IP Address64.95.84[.]159
IP Address66.63.167[.]122
IP Address67.217.228[.]216
IP Address68.235.43[.]202
IP Address68.235.46[.]22
IP Address68.235.46[.]202
IP Address68.235.46[.]151
IP Address68.235.46[.]208
IP Address68.63.167[.]122
IP Address69.246.124[.]204
IP Address72.5.42[.]72
IP Address79.127.217[.]44
IP Address83.147.52[.]41
IP Address87.120.112[.]134
IP Address94.156.167[.]237
IP Address96.44.189[.]109
IP Address96.44.191[.]141
IP Address96.44.191[.]157
IP Address104.223.118[.]62
IP Address104.193.135[.]221
IP Address141.98.252[.]189
IP Address146.70.165[.]47
IP Address146.70.168[.]239
IP Address146.70.173[.]60
IP Address146.70.185[.]47
IP Address146.70.189[.]47
IP Address146.70.189[.]111
IP Address146.70.198[.]112
IP Address146.70.211[.]55
IP Address146.70.211[.]119
IP Address146.70.211[.]183
IP Address147.161.173[.]90
IP Address149.22.81[.]201
IP Address151.242.41[.]182
IP Address151.242.58[.]76
IP Address163.5.149[.]152
IP Address185.141.119[.]136
IP Address185.141.119[.]138
IP Address185.141.119[.]151
IP Address185.141.119[.]166
IP Address185.141.119[.]168
IP Address185.141.119[.]181
IP Address185.141.119[.]184
IP Address185.141.119[.]185
IP Address185.209.199[.]56
IP Address191.96.207[.]201
IP Address192.198.82[.]235
IP Address195.54.130[.]100
IP Address196.251.83[.]162
IP Address198.44.129[.]56
IP Address198.44.129[.]88
IP Address198.244.224[.]200
IP Address198.54.130[.]100
IP Address198.54.130[.]108
IP Address198.54.133[.]123
IP Address205.234.181[.]14
IP Address206.217.206[.]14
IP Address206.217.206[.]25
IP Address206.217.206[.]26
IP Address206.217.206[.]64
IP Address206.217.206[.]84
IP Address206.217.206[.]104
IP Address206.217.206[.]124
IP Address208.131.130[.]53
IP Address208.131.130[.]71
IP Address208.131.130[.]91
URLLogin[.]salesforce[.]com/setup/connect?user_code=aKYF7V5N
URLLogin.salesforce.com/setup/connect?user_code=8KCQGTVU
URLhttps://help[victim][.]com
URLhttps://login[.]salesforce[.]com/setup/connect
URLhttp://64.95.11[.]112/hello.php
URL91.199.42.164/login

UNC6395 Indicators of Compromise

IoC TypeIndicator
IP Address208.68.36[.]90
IP Address44.215.108[.]109
IP Address154.41.95[.]2
IP Address176.65.149[.]100
IP Address179.43.159[.]198
IP Address185.130.47[.]58
IP Address185.207.107[.]130
IP Address185.220.101[.]33
IP Address185.220.101[.]133
IP Address185.220.101[.]143
IP Address185.220.101[.]164
IP Address185.220.101[.]167
IP Address185.220.101[.]169
IP Address185.220.101[.]180
IP Address185.220.101[.]185
IP Address192.42.116[.]20
IP Address192.42.116[.]179
IP Address194.15.36[.]117
IP Address195.47.238[.]83
IP Address195.47.238[.]178
User-AgentSalesforce-Multi-Org-Fetcher/1.0
User-AgentSalesforce-CLI/1.0
User-Agentpython-requests/2.32.4
User-AgentPython/3.11 aiohttp/3.12.15

    Key recommendations include training employees, especially call center staff, to recognize and report phishing and vishing attempts.

    The FBI also advises enforcing phishing-resistant MFA across all possible services, applying the principle of least privilege to user accounts, and implementing strict IP-based access restrictions.

    Furthermore, organizations should continuously monitor network logs and API usage for anomalous behavior indicative of data exfiltration and regularly review all third-party application integrations connected to their software platforms, rotating API keys and credentials frequently.

    Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates.

    googlenews
    Guru Baran
    Guru Baran
    https://cybersecuritynews.com
    Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.
    Facebook Linkedin

    RELATED ARTICLESMORE FROM AUTHOR