Warning: Hackers Are Using Salesforce Links to Steal Your Credentials
In the world of cybersecurity, trust is a valuable commodity—and a dangerous vulnerability. Cybercriminals have found a powerful new way to exploit this trust, turning one of the most reputable platforms in business, Salesforce, into a Trojan horse for their phishing attacks. By leveraging the legitimacy of the salesforce.com domain, attackers are crafting highly convincing scams that bypass traditional security measures and trick even cautious users.
This emerging threat isn’t about a vulnerability in Salesforce itself. Instead, it’s a classic case of “living-off-the-land,” where attackers abuse a platform’s legitimate features for malicious purposes. Because Salesforce is a trusted name, its domains are often whitelisted by email security filters, allowing malicious links to slide directly into your employees’ inboxes.
The Deception of a Trusted Domain: Why This Attack Works
The core of this threat lies in our inherent trust of familiar brands. When you see a link containing salesforce.com or force.com, your brain—and your company’s security software—is conditioned to see it as safe.
Here’s why this method is so effective:
- Bypassing Security Filters: Most Secure Email Gateways (SEGs) are designed to block known malicious domains. However, they almost always trust links from major platforms like Salesforce, Microsoft, or Google. Attackers know this and use these trusted domains as a delivery mechanism.
- Exploiting User Trust: Employees are trained to spot suspicious, random-looking URLs. But a link from a globally recognized enterprise software provider doesn’t raise the same red flags. This lowers their guard and makes them far more likely to click.
- Legitimate Infrastructure: The links are generated using Salesforce’s own infrastructure, such as email services or content delivery networks. This makes them technically legitimate, even if they lead to a malicious payload. The attack begins on trusted ground, making initial detection nearly impossible.
Anatomy of a Salesforce-Based Phishing Attack
The process is deceptive in its simplicity. An attacker uses a feature within Salesforce—such as the Email-to-Case function or Marketing Cloud—to generate a legitimate-looking URL. This link is then embedded in a phishing email.
The email itself might masquerade as a notification about an unpaid invoice, a secure document, or a contract awaiting review. When the victim clicks the link, one of two things typically happens:
- Malicious Redirect: The Salesforce link acts as a gateway, immediately and seamlessly redirecting the user to a credential harvesting page controlled by the attacker. This page is often a pixel-perfect replica of a Microsoft 365 or Google Workspace login screen.
- Hosted Malicious Content: In some cases, attackers host malicious files or phishing forms directly on Salesforce’s content platforms, further blurring the line between what is safe and what is dangerous.
The end goal is almost always the same: to steal valuable login credentials, which can then be used to access sensitive company data, launch further internal attacks, or commit financial fraud.
How to Protect Your Organization from This Evolving Threat
Since these attacks exploit trust and bypass traditional defenses, protecting your organization requires a multi-layered approach that combines technology with human vigilance. It’s no longer enough to just “watch out for suspicious links.”
Here are actionable steps every organization should take immediately:
- 1. Educate Your Team on Sophisticated Threats: Your employees are your first line of defense. Conduct security awareness training that specifically addresses the abuse of trusted platforms. Teach them that even links from well-known domains can be weaponized. Emphasize the need to verify unexpected requests through a separate communication channel before clicking.
- 2. Scrutinize Every Link’s Destination: Encourage users to hover over links to see the full URL before clicking. While the initial domain may be
salesforce.com, a strange subdomain or a long, convoluted string of characters should be treated with suspicion. If a Salesforce link asks you to log into your Microsoft account, that is a major red flag. - 3. Enforce Multi-Factor Authentication (MFA) Everywhere: This is the single most effective defense against credential theft. Even if an attacker successfully steals a user’s password, MFA provides a critical barrier that prevents them from accessing the account. This should be mandatory for all internal and external services, including email, VPN, and cloud applications.
- 4. Leverage Advanced Threat Protection: Relying on domain reputation and blacklists is no longer sufficient. Modern security solutions use AI and machine learning to analyze the behavior of links and detect malicious redirects in real-time, regardless of the source domain.
Staying Ahead of the Threat
The weaponization of trusted platforms like Salesforce marks a significant evolution in the phishing landscape. Cybercriminals will always seek the path of least resistance, and right now, that path runs directly through the applications we use and trust every day. By understanding this tactic and implementing robust security controls centered on a principle of “zero trust,” you can better protect your organization from becoming the next victim.
Source: https://www.helpnetsecurity.com/2025/09/04/salesforce-security-threats-2025/
