In late August, researchers uncovered one of the most impactful SaaS compromises of the year: a campaign that weaponized trusted integrations to infiltrate hundreds of Salesforce environments. While the headlines have focused on stolen customer data from major organizations like Zscaler, Palo Alto Networks, and Cloudflare, the full picture is even more alarming.

This breach highlights how today’s cloud-first businesses face risks that extend well beyond phishing emails or perimeter defenses. By compromising OAuth tokens issued to Salesloft’s Drift integration, threat actors not only accessed sensitive Salesforce records but also leveraged those tokens to infiltrate connected email accounts.

It’s a clear reminder that email compromise in 2025 doesn’t always start with a phish, and that defending against it requires a broader approach to cloud email security.

According to Google’s Threat Intelligence Group (GTIG), the campaign—tracked as UNC6395—ran between August 8 and 18, 2025. Attackers abused OAuth tokens tied to the Salesloft Drift app to query Salesforce objects across hundreds of customer organizations. Their queries were targeted and deliberate: Accounts, Users, Opportunities, and especially Cases, where they sought secrets like AWS access keys, Snowflake tokens, VPN credentials, and passwords.

The attackers attempted to cover their tracks by deleting query jobs but could not erase the audit logs, leaving investigators a trail of their activity. By August 20, Salesforce and Salesloft revoked all active Drift tokens, removed the app from the AppExchange, and notified impacted customers.

The attack didn’t stop there. A few days later, GTIG revealed that threat actors also compromised Drift Email tokens. Using these, the attackers accessed a limited set of Google Workspace accounts and exfiltrated email data. Additional investigation showed attempts to use stolen Salesforce credentials to access Amazon S3 cloud storage.

This wasn’t a smash-and-grab. The campaign was disciplined, systematic, and designed to maximize its blast radius across the SaaS ecosystem.

Initial reports suggested “hundreds” of Salesforce instances were affected. By early September, the true scale became clearer: over 700 companies were impacted, including some of the world’s most prominent cybersecurity vendors.

• Confirmed targets include Zscaler, Palo Alto Networks, Tanium, SpyCloud, PagerDuty, Cloudflare, Tenable, and Rubrik.

• Cloudflare later disclosed that 104 API tokens were stolen from their Salesforce Case system, containing customer-submitted support information.

• WideField researchers observed suspicious log activity suggesting attackers had infiltrated data from both Salesforce environments and Gmail accounts.
  

While most organizations reported that their core infrastructure remained intact, the theft of secrets and customer data poses serious downstream risk. Exfiltrated API keys, tokens, and credentials can enable attackers to move laterally into other systems. Stolen customer data—especially support tickets—can be weaponized for spear phishing, impersonation attacks, and social engineering.

Most email compromises start with an inbound phish; this breach is different. Attackers gained access without sending a single phishing email.

Instead, attackers exploited the trust placed in OAuth connections—tokens that organizations willingly granted to integrate apps with their SaaS platforms. Once those tokens were compromised, attackers could move laterally into both Salesforce and email without triggering traditional defenses. No suspicious attachment, no malicious URL, and no user clicking “allow access.” The trust decision had already been made, sometimes years earlier.

This attack underscores a key reality: in the cloud email era, compromise can happen even when the inbox is never touched.

For decades, secure email gateways (SEGs) have focused on inspecting inbound mail for spam, phishing, or malware. That approach is necessary but increasingly insufficient. Attacks like the Salesloft Drift breach reveal an entirely different risk surface:

• OAuth Abuse: Tokens granted to third-party apps can provide attackers with persistent, trusted access.

• Account Takeover (ATO): Once email accounts are accessible, attackers can monitor communications, redirect invoices, and impersonate employees.

• Supply Chain Risk: Compromise of a single integration can cascade across hundreds of organizations, as we saw here.
  

A SEG cannot monitor API tokens; it cannot detect unusual login patterns within Salesforce. And it certainly cannot connect the dots between suspicious OAuth activity and a sudden spike in email data access.

This is why organizations need a cloud-native email security platform that goes beyond the gateway, with visibility into application permissions, account activity, and identity-based anomalies.

Account takeover remains one of the most damaging outcomes of an email breach. Once an attacker controls a legitimate account, they can:

• Send malicious emails that bypass authentication checks.

• Access sensitive conversations and business workflows.

• Harvest additional credentials or secrets stored in inboxes.

• Launch vendor email compromise (VEC) and business email compromise (BEC) attacks with near-perfect credibility.
  

The Drift breach is also a reminder that account takeover no longer requires credential phishing. By inheriting OAuth tokens from a trusted app, attackers gained access without ever stealing a password. Long-lived tokens also acted like master keys, granting persistent access until explicitly revoked. Because this activity appeared as legitimate Drift traffic, it blended into normal API usage, making detection even more challenging.

Defending against ATO requires continuous monitoring of identity and access patterns, not just filtering inbound mail. Abnormal’s behavioral AI detects when accounts act outside their normal patterns, regardless of how access was obtained.

Another key lesson is the importance of security posture management (SPM) for SaaS platforms. Many organizations grant broad OAuth permissions to integrations without regularly reviewing them. Over time, unused or overly permissive connections become forgotten backdoors—exactly what UNC6395 exploited.

The Drift incident revealed how many organizations had unknowingly granted broad, persistent permissions to third-party integrations like Drift. Few had visibility into where OAuth tokens were stored, how long they lived, or whether Drift’s own security posture had been adequately assessed. These blind spots allowed attackers to move freely once tokens were compromised.

SPM enables organizations to:

• Discover all connected apps across SaaS platforms like Microsoft 365, Google Workspace, and Salesforce

• Assess the risk of each integration based on its permissions and activity

• Alert on unusual API usage or anomalous access patterns

• Enforce least-privilege principles by revoking unused or unnecessary tokens
  

In the Drift case, organizations with mature SaaS posture management would have been better positioned to detect unusual queries or revoke unnecessary tokens before attackers could capitalize.

The Salesloft Drift breach illustrates several sobering truths:

SaaS Supply Chains Are an Expanding Attack Surface

Just as SolarWinds highlighted software supply chain risk, this incident shows how SaaS integrations can be exploited at scale. A compromise in one app can ripple across hundreds of customers.

Trust Can Be Weaponized

OAuth and API tokens are designed for convenience and interoperability. But when stolen, they become stealthy persistence mechanisms that evade traditional defenses.

Email Compromise Is Evolving

Attackers no longer need to send phishing messages to breach inboxes. The era of cloud email compromise through identity and integration abuse is here.

Traditional Tools Fall Short

Gateways can’t see OAuth, and log analysis alone is insufficient without enrichment from threat intel. Organizations need platforms that connect email, identity, and app activity in one lens.

Convergence of Risks

The Drift breach shows how email compromise, account takeover, and SaaS misconfiguration are converging—all driven by OAuth abuse. Defenders can no longer treat these as isolated problems. Unified visibility across email, identity, and integrations is essential.

Abnormal is uniquely positioned to defend against the new realities of SaaS and email compromise:

Behavioral AI for Email Security

Detects anomalous activity within accounts, spotting ATO and other threats, even when no phishing email is involved.

Account Takeover Protection

Monitors login activity, geographic anomalies, and behavioral deviations to flag compromised accounts quickly.

Security Posture Management

Provides visibility into all connected apps and OAuth permissions, helping organizations identify risky integrations and revoke unnecessary tokens.

Holistic View Across SaaS

By combining identity insights, email telemetry, and integration monitoring, Abnormal stops the kinds of stealthy attacks that traditional defenses miss.

Ultimately, this breach is a wake-up call. The attackers didn’t need to trick employees into clicking links or opening attachments. They simply exploited the interconnected reality of modern SaaS. Defending against that requires tools built for the cloud era.

The Salesloft Drift breach may be remembered as one of the largest known OAuth-driven SaaS compromises to date. As organizations embrace more integrations, attackers will increasingly exploit the trust relationships that bind our apps together.

The lesson is clear: email compromise can happen even when no email is involved. Defending against it requires visibility into accounts, apps, and access patterns—capabilities that extend far beyond the legacy gateway.

By combining behavioral AI with account takeover protection and SaaS posture management, Abnormal provides the defense organizations need to thrive securely in a cloud-first world.

See for yourself how Abnormal continuously finds and fixes critical misconfigurations across your cloud email environment. Schedule a demo.