A coordinated supply‑chain attack is rippling through enterprise SaaS stacks after attackers weaponized OAuth tokens, associated with the Drift application (owned by Salesloft), to access customer data across multiple cloud platforms via trusted app‑to‑app connections. Salesforce surfaced early because Drift functioned as a connected app there, but Google has warned that all Drift integrations are at risk and confirmed impact to Google Workspace via Drift Email, with detailed indicators and methods published in its analysis.
Google attributes the activity to UNC6395 and has released actionable indicators such as user‑agents, IPs, and characteristic SOQL reconnaissance and credential‑hunting patterns. Defenders should hunt and contain activity anywhere Drift has had OAuth access.
In addition to Google’s attribution to UNC6395, Cloudflare’s threat intelligence team, Cloudforce One, has since attributed the campaign to the hacking group GRUB1, based on their investigation of the incident.
Multiple organizations have now publicly confirmed downstream exposure via this vector.
Key facts
- Vector: OAuth tokens tied to the Salesloft Drift app
- Attribution: UNC6395 (per Google), Cloudflare’s Cloudforce One subsequently attributed the campaign to GRUB1
- Timeline:
- August 8–18, 2025: Active exploitation window
- August 19–20, 2025: Revocations initiated per vendor notices
- Late Aug–Sept, 2025: Ongoing public disclosures by affected organizations
- Scope: Hundreds of organizations potentially affected; multiple major firms have publicly confirmed impact
- Status: Salesloft initiated revocation/reset actions for affected integrations
Looking for ShinyHunters-Salesforce guidance? This is a different group and TTPs, but you can find our dedicated response checklist here: ShinyHunters Salesforce Response Tips.
Organizations Affected by Salesloft Drift Breaches
We will continue to update the list of known victims of these attacks as they are revealed publicly.
Need help? Skip to Vorlon for SaaS-to-SaaS OAuth threats.
Salesloft Drift Breach Technical Analysis
This section distills the attacker playbook into concrete, hunt-ready signals drawn from public reporting. For full context and IOCs, see Google’s analysis and corroborating coverage in the security press.
TTPs (MITRE-style mapping and concrete examples)
Initial access
- The actor leveraged valid OAuth tokens (Drift connected app) to call Salesforce and Google Workspace APIs, which can bypass traditional controls because access appears authorized.
- No evidence of password compromise needed; tokens provided authorized API access
Discovery and enumeration
- SOQL reconnaissance across core objects to size data and map environment:
- SELECT COUNT() FROM Account/Opportunity/User/Case
- Time-bounded counts (e.g., LAST_N_DAYS) to triage recent data
- Identification of high-value objects and fields
Collection and credential hunting
- Targeted queries for sensitive user/record fields and credentials/secrets embedded in cases/notes:
- Search terms/patterns: AKIA (AWS), “secret,” “password,” “snowflake”
- Bulk exports within API limits; distributed/burst requests to avoid rate-limit flags
Defense evasion and operational security
- Use of Tor and cloud/VPS providers (e.g., Hetzner) for IP rotation
- Automation-oriented user-agents (e.g., python-requests; Salesforce scraper identifiers)
- Deletion of query jobs to obscure reconnaissance (logs still retained for audit)
Command and control / exfiltration
- API-driven exfiltration through legitimate endpoints (Salesforce APIs; Gmail/Workspace APIs via Drift Email integration)
- For examples and IoCs, see Google Threat Intelligence.
Indicators of compromise (hunt suggestions)
Network and infrastructure
- Source IPs of Tor exit nodes
- Cloud/VPS providers and hosting ranges commonly seen in this activity (e.g., Hetzner; plus cloud providers like DigitalOcean, AWS as observed in reporting)
- Off-hours access patterns relative to normal app behavior
Application-layer signals
- User-agents:
- Salesforce-Multi-Org-Fetcher/1.0
- python-requests/2.32.4
- Python/3.11 aiohttp/3.12.15
- Reconnaissance SOQL:
- SELECT COUNT() FROM Account/Opportunity/User/Case
- Time-bounded variants (e.g., LAST_N_DAYS) across multiple objects in sequence
- Credential-hunting queries (AKIA, “secret,” “password,” “snowflake”)
- Sudden spikes in API call volume or bulk-query jobs; attempts to delete query jobs
What to do now (checklist)
Hunt: Apply Google’s IoCs across your Salesforce, Google Workspace, and any other platforms where Drift had access.
Contain: Disconnect/reauthorize Drift integrations; revoke tokens; rotate exposed secrets.
Govern: Inventory connected apps and scopes; enforce IP restrictions; shorten token lifetimes and require re-consent on material changes.
Monitor: Baseline Drift (and all connected apps) and alert on deviations; log and preserve evidence for follow‑up investigations.
Looking for ShinyHunters-Salesforce guidance? This is a different group and TTPs, but you can find our dedicated response checklist here: ShinyHunters Salesforce Response Tips.
Vorlon for SaaS-to-SaaS OAuth threats
When attackers hide behind “legitimate” OAuth tokens, most controls can’t tell normal integration traffic from active compromise. Vorlon can. Our platform continuously baselines every connected app’s behavior across your SaaS estate and correlates who is calling what, from where, with which user-agent, and at what volume. The moment Drift-like activity deviates from expected patterns Vorlon raises high-fidelity alerts, links the activity to the exact identity and connected app, and enables one-click containment.
In practice, that means:
- Detect fast: Anomaly signals (user-agent, IP reputation, query patterns, traffic spikes) trigger alerts within minutes.
- Investigate with context: We show the precise queries, identities, tokens, and sources involved, so responders don’t hunt blindly across logs.
- Remediate immediately: Security teams can revoke the compromised connected app, disable implicated users, and terminate active sessions from the same workflow, cutting off exfiltration while preserving evidence.
- Prevent recurrence: Vorlon continuously monitors connected-app permissions, captures IP restriction settings to help admins enforce access controls, and flags scope changes or over-privilege before they become attack paths.
Bottom line: OAuth abuse looks “authorized” to most tools. Vorlon makes it obvious and stoppable.
Ready to see it in action?
Get a live demo to see how Vorlon detects Drift‑style OAuth abuse in minutes, correlates activity to the exact app and identity, and enables one‑click containment across your SaaS ecosystem.