Security researchers have identified an active phishing campaign targeting Salesforce customers, leading to account breaches through a third-party application integration with Gainsight. The campaign was brought to light by a security researcher known online as “Cloudvar.”

The threat actors initiate the attack with a phishing email designed to look like a notification for a past-due invoice. The email contains a link that directs the recipient to a malicious webpage impersonating a Microsoft login portal. If a user enters their credentials on this fake page, the attackers capture them.

Attack Vector: Third-Party Integration

The stolen credentials are then used by the attackers to access the victim’s Gainsight account. Gainsight, a customer success management platform, is often integrated directly into a company’s Salesforce instance. This integration provides the attackers with a direct pathway into the victim’s Salesforce environment.

The primary target of these intrusions appears to be Salesforce sandboxes, which are isolated environments used by developers for testing and training. Access to these sandboxes still presents a significant security risk. Both Gainsight and Salesforce have published security advisories in response to this threat, acknowledging the active phishing campaign.

A Recurring Threat Pattern

This incident follows a previous security event where Salesforce customers were targeted through compromised third-party applications. In April, Salesforce issued a security advisory after threat actors used stolen Heroku and GitHub integration credentials to gain access to customer data. This pattern highlights the security challenges associated with third-party applications connected to core CRM platforms.