Sep 1, 2025

Syed Amoz
Salesforce is the world’s largest customer relationship management (CRM) platform, used by enterprises across various industries, including finance, healthcare, insurance, retail, and technology. With Salesforce at the center of customer and partner interactions, it has become a high-value target for adversaries.
In 2025, a series of Salesforce-related breaches affected organizations including Google, Allianz Life, Farmers Insurance, Workday, TransUnion, and several retail and luxury brands such as Chanel, Louis Vuitton, Dior, and Adidas. An exploitable flaw in Salesforce code did not cause these incidents. Instead, they reflected attackers abusing human factors, OAuth trust models, and Connected App misconfigurations, chaining them together into coherent attack paths.
How the Salesforce Breaches Happened.
Stage 1: Initial Access – Social Engineering
Attackers began by using vishing (voice phishing) to impersonate IT support. Employees were convinced to install or authorize what appeared to be a “Salesforce Data Loader” application.
· MITRE ATT&CK Techniques: T1598 (Phishing for Information), T1566.004 (Voice Phishing/Vishing).
Stage 2: Malicious Connected App Installation
Salesforce Connected Apps use OAuth for integration. Malicious apps requested over-permissive scopes and, once approved by a user, were fully trusted by Salesforce.
· MITRE ATT&CK Techniques: T1078 (Valid Accounts), T1556.006 (Modify Authentication Process: Forge Web Session Cookie / OAuth abuse).
Stage 3: OAuth Token Abuse
The malicious apps harvested OAuth and refresh tokens, giving attackers persistent access without passwords or MFA challenges.
· MITRE ATT&CK Techniques: T1528 (Steal Application Access Tokens).
Stage 4: Privilege Expansion
With excessive scopes granted, attackers escalated from basic app permissions to bulk data export privileges. Misconfigured scopes and weak governance were central enablers.
· MITRE ATT&CK Techniques: T1068 (Exploitation for Privilege Escalation), though in SaaS contexts this often reflects policy abuse rather than software bugs.
Stage 5: Data Exfiltration
Attackers used the legitimate Salesforce Bulk API to extract millions of records, including PII, insurance claims, contracts, and communications.
· MITRE ATT&CK Techniques: T1530 (Data from Cloud Storage Object), T1567 (Exfiltration Over Web Services).
Stage 6: Business Impact
The data was leaked, monetized, and weaponized for extortion. Allianz reported more than 1.1 million records exposed, Farmers Insurance confirmed another 1.1 million, and many global enterprises faced reputational and regulatory consequences.
Why Attack Paths Provide the Right Lens?
The breaches underline an essential truth: attackers don’t think in terms of isolated vulnerabilities. They believe in terms of paths.
In Salesforce, the attack path was:
Social engineering (vishing)
Malicious Connected App installation
OAuth token theft
Privilege escalation via excessive scopes
API exfiltration of CRM records
Extortion and reputational harm
Each step maps to one or more adversary techniques in MITRE ATT&CK. Viewed together, the chain forms a narrative of compromise that is more realistic than raw CVE lists.
This aligns with guidance from:
NIST CSF 2.0 (2024): emphasizes “Understand how threats may move through the enterprise environment.”
ENISA Threat Landscape 2023: highlights supply chain and SaaS platforms as rising attack vectors.
Cloud Security Alliance (CSA): calls out OAuth/token abuse and Connected App governance as key SaaS security concerns.
Defensive Choke Points in the Salesforce Path.
Attack path modeling helps identify high-leverage controls that can break entire chains:
Awareness Training → aligned with NIST CSF Protect function, reducing success of vishing/social engineering.
Connected App Whitelisting → CSA best practice, prevents rogue apps from being authorized.
Token Monitoring & Revocation → detects misuse of OAuth tokens; aligned with MITRE ATT&CK detection for T1528.
Least Privilege Enforcement → reduces blast radius of app scopes; aligns with Zero Trust principles (NIST SP 800-207).
API Anomaly Detection → flagging unusual bulk exports; related to MITRE T1020 (Automated Exfiltration).
Egress Restrictions → prevents large-scale outbound flows; aligns with ENISA recommendation to monitor data flows.
Tools and Techniques for Attack Path Modeling
Attackers model your environment as a graph of opportunities. Enterprises must mirror this approach.
Open-Source Tools
Deciduous / SeaMonster / ADTool – build attack trees and visualize potential paths.
BloodHound / AzureHound – map Active Directory and Azure identity relationships.
Neo4j, NetworkX, Graphviz – graph libraries for custom attack path analysis.
Techniques
Graph Modeling: represent assets, tokens, and trust relationships as nodes and edges.
Attack Trees with AND/OR logic: model adversary decision points.
What-if Simulations: assess which control breaks the most paths.
MITRE ATT&CK Mapping: contextualize each attack step against recognized adversary techniques.
Lessons Beyond Salesforce.
Salesforce is only one example of a larger trend. Similar attack path logic has been observed in:
MOVEit (2023): SQLi (T1190) → DB creds → file exfiltration (T1530).
Okta (2023): Support system compromise → token theft (T1528) → customer pivots.
SolarWinds (2020): Supply chain compromise → lateral movement → downstream customer compromise.
Kaseya (2021): Remote management abuse → ransomware deployment (T1486).
In each case, adversaries chained weaknesses — technical, human, and procedural — into coherent attack paths with business impact.
The 2025 Salesforce breaches reveal a critical reality: enterprise security must evolve from a vulnerability-centric approach to an attack path-centric strategy.
By mapping out how social engineering, OAuth misuse, and API trust combine into viable routes to sensitive data, CISOs can:
Identify defensive choke points.
Prioritize controls with the most tremendous impact.
Communicate technical risk in business terms (regulatory penalties, reputational harm, operational disruption).
Attackers are already modeling your SaaS and vendor ecosystem as a graph of opportunities. To stay ahead, enterprises must adopt attack path modeling, integrating insights from MITRE ATT&CK, NIST CSF, and CSA SaaS security guidance.