Salesloft Drift OAuth Token Compromise Impacting Salesforce and Integrated Systems

Incident Report for Rapid Response Status Page

Resolved

Dear Customers,

Following our recent update regarding the Salesloft Drift OAuth Token Compromise, we have continued our threat-focused hunting efforts, specifically reviewing IOC hits and related TTPs.

Axon reports have been published for Team Axon customers. These reports include:

- A consolidated list of IOCs
- Hunting queries
- TP results for relevant environments

Any findings requiring your attention are highlighted in your Axon report.

We will continue to closely monitor developments related to the Salesloft Drift OAuth Token Compromise and provide updates as necessary. If you have any questions or need further assistance, please do not hesitate to reach out.

Best regards,
Team Axon

Posted Sep 04, 2025 - 15:52 UTC

Identified

Dear Customers,

Team Axon is aware of a significant ongoing security incident involving the compromise of OAuth tokens issued to the Salesloft Drift application. These tokens have been abused by a threat actor (tracked as UNC6395) to access Salesforce instances and other integrated systems without directly breaching Salesforce itself.

This activity has enabled attackers to execute structured SOQL queries, enumerate and exfiltrate sensitive data (including customer records, credentials, and access tokens), and, in some cases, delete Salesforce jobs to obscure traces. Evidence suggests that additional connected integrations (e.g., Google Workspace via Drift Email, and others) may also be impacted.

In certain integrations, such as Google → Drift Email, attackers were able to abuse OAuth tokens to authenticate and access the integration account, allowing them to query emails, extract information, and potentially access additional data.

Early threat intelligence confirms that this campaign is widespread and actively exploited in the wild, with high-profile organizations already affected. The breadth of Drift integrations (nearly 60 third-party platforms) significantly increases the potential exposure across enterprise environments.

Recommendations:

- Revoke OAuth tokens associated with Drift and related integrations.
- Disable or remove the Drift application from Salesforce until security assurances are provided.
- Rotate exposed credentials, especially API keys, AWS access tokens, Snowflake tokens, and any secrets stored in Salesforce fields.
- Make sure Salesforce logs are being ingested into the Hunters platform.
- Review connected integrations to Drift (Slack, Pardot, Zoom, etc.) and revoke any unnecessary permissions.

Affected organizations are at heightened risk of targeted phishing campaigns stemming from the exposure of customer and employee data. Teams must remain on high alert, closely monitor for suspicious activity, and reinforce phishing awareness among users

Our team continues to investigate the scope and technical details of this campaign. In case we observe strong indications for compromised users, we will contact the customer directly.

For further assistance, please reach out to us.

Sincerely,
Team Axon

Current IOCs:

- IP Addresses:
208.68.36.90
44.215.108.109
154.41.95.2
176.65.149.100
179.43.159.198
185.130.47.58
185.207.107.130
185.220.101.133
185.220.101.143
185.220.101.164
185.220.101.167
185.220.101.169
185.220.101.180
185.220.101.185
185.220.101.33
192.42.116.179
192.42.116.20
194.15.36.117
195.47.238.178
195.47.238.83

- Potentially Related User Agents:
Salesforce-Multi-Org-Fetcher/1.0
Salesforce-CLI/1.0

Posted Sep 04, 2025 - 10:49 UTC

This incident affected: Rapid Response.