Google has revealed that the recent wave of attacks targeting Salesforce instances via SalesLoft Drift is much broader than previously thought, and that will affect all integrations.
Google Threat Intelligence Group (GTIG) and Mandiant state in their updated advisory.
The tech giant accessed emails from a small number of Google Workpace email accounts after the attackers used stolen OAuth tokens to compromise the “drift mail” integration OAuth tokens on August 9, 2025. It is worth noting that this is not a compromise for Google Workspace or the alphabet itself.
“The only accounts that were potentially accessed were those that were specifically configured to integrate with SalesLoft. Actors would not have access to other accounts in the customer’s workspace domain,” Google added.
Following the discovery, Google notified affected users, canceled certain OAuth tokens granted to the drift email application, and disabled the integration of Google Workspace and SalesLoft Drift during an ongoing investigation of the incident.
The company also uses SalesLoft Drift to check organizations for integrations of all third-party connected to their drift instances, revoke their application’s credentials, spin them, and investigate any access signs that do not investigate all connected systems.
The increased attack radius occurs shortly after Google described as a widespread, opportunistic data theft campaign that allowed a new activity cluster called threat activator UNC6395, allowing Salesloft drift-related OAUTH tokens to be leveraged on target Salesforce instances from August 8th to 18th.
Since then, SalesLoft has revealed that Salesforce has temporarily disabled drift integrations between Salesforce, Slack and Pardot, but Salesforce has stated that it “chosen to temporarily disable all SalesLoft integrations with Salesforce.”
“Based on previous investigations, there is no evidence of malicious activity detected in SalesLoft integration related to drift cases,” he said. “And at this point there is no indication that SalesLoft integration will be compromised or at risk.”
Source link
