Attackers Used Drift OAuth Tokens to Hit Salesforce in 700+ Orgs
UNC6395 used stolen Drift OAuth refresh tokens to access Salesforce in more than 700 organizations. 45% of security teams do not monitor persistent OAuth grants.
A threat actor tracked as UNC6395 used OAuth refresh tokens stolen from Drift to access Salesforce environments for more than 700 organizations, according to research by Palo Alto Networks Unit 42 and Material Security.
The intrusions relied on OAuth refresh tokens, which are issued when users authorize third-party apps to access Google or Microsoft accounts. Refresh tokens do not automatically expire, are not revoked when passwords change, and can be used without submitting a user password, allowing access without a new sign-in or multifactor authentication.
According to researchers, the attacker most likely obtained the tokens through earlier phishing campaigns and then used legitimate Drift integrations to move through customer Salesforce instances. Once inside, the actor exported data and searched for credentials including AWS access keys, Snowflake tokens and account passwords.
Public disclosures list Cloudflare, PagerDuty and dozens of other companies as affected while investigations continue to assess the full scope. From the perspective of perimeter controls and typical access logs, the activity appeared legitimate because it used approved app credentials.
Material Security’s analysis found that 45% of security teams do not monitor persistent OAuth grants. The firm reported that 80% of security leaders view unmanaged OAuth grants as a critical or significant risk, and 33% of organizations rely on manual processes such as spreadsheets and ad hoc reviews to track grants.
Many current defenses focus on checks at the time an app is granted access, including reviewing requested permission scopes and vendor reputation. Those point-in-time checks do not detect a legitimate app whose credentials are later stolen and used by a different actor.
Practices cited by security practitioners for detecting token misuse include continuous monitoring of app behavior to flag sudden spikes in API calls or unusual queries and assessment of the blast radius tied to the accounts the apps are connected to. High-risk detections can trigger automated token revocation, while lower-confidence alerts can be escalated for human review.
The number of persistent OAuth grants is expected to grow as employees link AI tools, automation services and productivity apps to enterprise Google and Microsoft environments. Organizations that do not track and monitor those grants may leave an access path that perimeter controls and multifactor authentication do not block when tokens are stolen.
