Attackers are turning Salesforce trust into their biggest weapon

Salesforce has become a major target for attackers in 2025, according to new WithSecure research into threats affecting customer relationship management (CRM) platforms. The report shows that malicious activity inside Salesforce environments rose sharply in the first quarter of this year, with a twenty-fold increase in detections compared to late 2024.

Tactics in focus (Source: WithSecure)

Documents and QR codes as entry points

The data shows that attackers are turning ordinary files into delivery mechanisms. Word documents accounted for more than two-thirds of malicious detections, often carrying links to phishing portals or malware downloads. Image files made up more than a quarter of detections, most of them linked to QR code phishing, also known as quishing.

This approach works because Salesforce is built around collaboration and document sharing. Files that look like invoices, support tickets, or verification steps are often treated as routine, which lowers suspicion. QR codes have been especially effective in hybrid work settings, where employees use mobile devices that may not have the same protections as corporate endpoints.

Exploiting trust through deception

The report notes that much of the activity relies on trust. Users expect Salesforce to be safe, so they are more likely to open a document or scan a QR code that arrives through familiar workflows. Attackers take advantage of this by disguising content as legitimate business communication, such as case messages or form submissions.

Links hidden inside files often lead to phishing sites that impersonate well-known brands. Tactics observed in early 2025 include the use of newly registered domains, lookalike domains, URL shorteners, and abuse of legitimate infrastructure like Bing redirect services. These techniques allow malicious traffic to blend in with normal activity.

Identity compromise is hard to spot

While phishing and file-based attacks grab attention, identity abuse is an even more difficult challenge. Karmina Aquino, Head of Threat Protection at WithSecure, told Help Net Security that attackers often use OAuth tokens to sidestep traditional detection.

“One of the more challenging types of misuse to detect involves attackers using OAuth tokens that were issued through normal authorization flows, such as the OAuth Device Flow,” she says. “When a user is tricked into approving a connected app, such as a modified Salesforce Data Loader, the attacker doesn’t need to crack a password, perform bruteforcing, or bypass MFA. They’re granted access willingly through a process that is completely valid.”

According to Aquino, the stealth goes even further when attackers mimic a user’s behavior. By working during regular hours and accessing familiar objects, attackers blend in with normal activity. Some groups have even tested their access by exfiltrating small amounts of data before moving on to larger exports.

Regional concentration of attacks

Most of the detections were concentrated in Europe and North America, which together accounted for more than 80 percent of affected customers. Within Europe, the United Kingdom saw the largest share. The report suggests that attackers benefit from the ease of using English-language phishing kits, which are widely available and require little localization.

Aquino notes that this language factor continues to influence attacker choices. “Based on our data and observations, attackers will likely continue focusing on English-speaking regions,” she says. “Creating convincing phishing content in English requires far less effort, since many phishing kits are already prebuilt with that language by default. This reduces the need for localization, allowing faster and cheaper deployment. English also offers broader reach, helping attackers maximize impact with minimal adjustments.”

Breaches highlight the scale of impact

The report also points to several high-profile incidents this year that underline the risks. Google confirmed that one of its Salesforce instances had been compromised, exposing over two million prospective customer records. Allianz Life reported a CRM compromise affecting 1.4 million customers. Coca-Cola Europacific Partners disclosed that more than 23 million Salesforce records had been exfiltrated. Luxury brands, major retailers, and airlines have also reported CRM-related breaches.

In nearly all cases, the attacks did not depend on technical vulnerabilities in Salesforce itself. Instead, they relied on stolen or misused credentials, social engineering, and abuse of trusted applications. This highlights identity compromise as one of the most pressing risks in SaaS environments.