This Threat Brief discusses observations on a campaign leveraging Salesloft Drift integration to exfiltrate data via compromised OAuth credentials.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 discovered a threat actor campaign that exploited compromised OAuth credentials in the Salesloft Drift integration to exfiltrate sensitive data from Salesforce instances between August 8-18, 2025. The attackers performed mass data extraction from Account, Contact, Case, and Opportunity records, then scanned the stolen data for credentials to enable further attacks. Salesloft has revoked all affected tokens and notified impacted customers. Organizations using this integration should immediately review logs, rotate exposed credentials, and implement proactive threat hunting using specific indicators like the Python/3.11 aiohttp/3.12.15 user agent string.

Threat Brief: Salesloft Drift Integration Used To Compromise Salesforce Instances