When news broke that the threat group UNC6395 had infiltrated Salesforce environments by abusing OAuth tokens from the Salesloft Drift connected app, it sent shockwaves through the security community.
Many well-known organizations have already issued breach disclosures, and based on Nudge Security’s supply chain mapping data, an estimated 750+ organizations could ultimately be impacted by this breach.
This wasn’t a traditional perimeter breach.
This was a massive supply chain attack delivered through the SaaS ecosystem, one that shows just how vulnerable today’s interconnected web of SaaS and AI applications, integrations, and data has become.
The Modern SaaS Supply Chain is a Hot Mesh
Your SaaS stack isn’t just the Salesforce, Google Workspace, or Slack environments you actively monitor and manage. It’s the dozens, even hundreds, of apps that connect to them, whether through OAuth grants, API integrations, or other means that your employees can easily set up in minutes.
Each app-to-app integration represents a non-human identity—an OAuth token, API key, or service account—that links one service to another, often for the purpose of sharing data and resources. Taken together, they form a dense, dynamic mesh of connections that powers modern business.
But this mesh is also fragile: compromise one trusted service, and attackers can traverse directly into business-critical environments.
The UNC6395 campaign exploited exactly that.
They didn’t hack Salesforce directly; they rode in through a trusted marketplace app.
Sensitive Corporate Data Lives in SaaS, but Security Monitoring Often Lags Behind
Today, most corporate crown jewels like customer data, source code, IP, and credentials live in SaaS environments. Yet, compared to network, endpoint, or cloud infrastructure monitoring, SaaS security monitoring and management are too often overlooked.
Organizations often struggle to answer basic questions:
- Which apps are connected to Salesforce right now and how?
- What data do they have access to?
- Who granted this access? For what reason?
- Are old OAuth tokens still active?
This lack of visibility and control creates the blind spots that attackers look for. And as the recent Salesloft Drift breach proves, adversaries know exactly how to exploit them.
Attackers are Exploiting SaaS Blind Spots
In the UNC6395 campaign, attackers didn’t use zero-days or custom malware to break into a secured network perimeter. They used stolen OAuth tokens, the very building blocks of SaaS and AI connectivity. By leveraging these tokens with overly permissive access, they were able to quietly query and extract sensitive data in Salesforce environments without tripping traditional alarms.
Attackers have figured out that SaaS supply chains are over-trusted, under-managed, and rarely audited. If security teams don’t catch up, breaches like this one will only multiply.
It’s Time to Act
This recent Salesloft Drift breach is not an isolated event; it’s a preview of the future. Attackers will continue targeting the SaaS supply chain because it works.
Security teams must respond by monitoring, managing, and defending their SaaS ecosystems with the same rigor they apply to endpoints and infrastructure.
See how you can protect your SaaS supply chain.
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
