Threat Brief: Salesloft Drift Integration Used to Compromise Salesforce Instances

    Wednesday, September 3, 2025 In: Threat Research Print

    Date: 09/03/2025

    Severity: High

    Summary

    The team identified threat actor activity exploiting the Salesloft-Drift integration to breach Salesforce instances. From August 8–18, 2025, compromised OAuth credentials were used to exfiltrate sensitive Salesforce data. The actor targeted objects like Account, Contact, Case, and Opportunity, and scanned for credentials post-exfiltration. Salesloft notified impacted customers, revoked tokens, and took swift action to secure and contain the incident.

    Indicators of Compromise (IOC) List

    IP Address : 

    154.41.95.2

    176.65.149.100

    179.43.159.198

    185.130.47.58

    185.207.107.130

    185.220.101.133

    185.220.101.143

    185.220.101.164

    185.220.101.167

    185.220.101.169

    185.220.101.180

    185.220.101.185

    185.220.101.33

    192.42.116.179

    192.42.116.20

    194.15.36.117

    195.47.238.178

    195.47.238.83

    208.68.36.90

    44.215.108.109

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address : 

    dstipaddress IN ("185.220.101.167","154.41.95.2","185.220.101.185","185.220.101.133","185.220.101.169","195.47.238.178","185.207.107.130","185.220.101.143","176.65.149.100","194.15.36.117","195.47.238.83","179.43.159.198","185.220.101.180","44.215.108.109","192.42.116.20","185.130.47.58","185.220.101.164","185.220.101.33","192.42.116.179","208.68.36.90") or srcipaddress IN ("185.220.101.167","154.41.95.2","185.220.101.185","185.220.101.133","185.220.101.169","195.47.238.178","185.207.107.130","185.220.101.143","176.65.149.100","194.15.36.117","195.47.238.83","179.43.159.198","185.220.101.180","44.215.108.109","192.42.116.20","185.130.47.58","185.220.101.164","185.220.101.33","192.42.116.179","208.68.36.90")

    Reference:

    https://unit42.paloaltonetworks.com/threat-brief-compromised-salesforce-instances/


    Tags

    Threat ActorSalesforceSalesloftExfiltration

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.