ZeroFox Intelligence Flash Report - Exploitation of Salesforce Systems Likely to Continue

ZeroFox Intelligence Flash Report - Exploitation of Salesforce Systems Likely to Continue

Product Serial: F-2025-09-04a

TLP:CLEAR

In this Flash report, ZeroFox researchers report on a supply chain breach involving the Drift-Salesforce integration and note that further victim disclosures are likely.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

• Beginning around August 8, 2025, and continuing until approximately August 18, 2025, a sophisticated supply chain breach targeting the Drift-Salesforce integration AI chatbot was reportedly carried out by a threat actor leveraging OAuth credentials to exfiltrate Salesforce instance data from multiple companies.
• Notably, customers who integrate online services with Salesloft’s Drift platform (such as Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI) can potentially be impacted by threat actors using the stolen OAuth tokens.
• ZeroFox assesses that more companies that have utilized the compromised Salesforce integration with Salesloft Drift are likely to be publicly disclosed as victims in the coming weeks.