{"description": "Enterprise techniques used by Salesforce Data Exfiltration, ATT&CK campaign C0059 (v1.0)", "name": "Salesforce Data Exfiltration (C0059)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1020", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors used API queries to automatically exfiltrate large volumes of data.(Citation: FBI Salesforce Data Theft SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1671", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors deceived victims into authorizing malicious connected apps to their organization's Salesforce portal.(Citation: FBI Salesforce Data Theft SEP 2025)(Citation: Google Salesforce JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors used custom applications developed in python.(Citation: Google Salesforce JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1586", "showSubtechniques": true}, {"techniqueID": "T1586.002", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors used compromised emails to create Salesforce trial accounts.(Citation: Google Salesforce JUN 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213", "showSubtechniques": true}, {"techniqueID": "T1213.004", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors accessed and exfiltrated sensitive information from compromised Salesforce instances.(Citation: Google Salesforce JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors created malicious applications within Salesforce trial accounts, typically Python scripts with similar function to the Salesforce Data Loader.(Citation: FBI Salesforce Data Theft SEP 2025)(Citation: Google Salesforce JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors created Salesforce trial accounts to register their malicious applications.(Citation: Google Salesforce JUN 2025)\n", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors registered emails shinycorp@tuta[.]com and shinygroup@tuta[.]com to send victims extortion demands.(Citation: Google Salesforce JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1567", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors exfiltrated data via legitimate Salesforce API communication channels including the Salesforce Data Loader application.(Citation: Google Salesforce JUN 2025)(Citation: FBI Salesforce Data Theft SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors queried customers' Salesforce environments to identify sensitive information for exfiltration.(Citation: FBI Salesforce Data Theft SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors used voice calls to socially engineer victims into authorizing a modified version of the Salesforce Data Loader app.(Citation: Google Salesforce JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors initially relied on the legitimate Salesforce Data Loader app for data exfiltration.(Citation: Google Salesforce JUN 2025)(Citation: FBI Salesforce Data Theft SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598", "showSubtechniques": true}, {"techniqueID": "T1598.004", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors initiated voice calls with victims to socially engineer them into authorizing malicious applications or divulging sensitive credentials.(Citation: FBI Salesforce Data Theft SEP 2025)(Citation: Google Salesforce JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors used Mullvad VPN IPs to proxy voice phishing calls.(Citation: Google Salesforce JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors used [Tor](https://attack.mitre.org/software/S0183) IPs for voice calls and for the collection of stolen data.(Citation: Google Salesforce JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1684", "showSubtechniques": true}, {"techniqueID": "T1684.001", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors impersonated IT support personnel in voice calls with victims at times claiming to be addressing enterprise-wide connectivity issues.(Citation: Google Salesforce JUN 2025)(Citation: FBI Salesforce Data Theft SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.005", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors established an Okta phishing panel which victims were tricked into accessing from mobile phones or work computers during social engineering calls.(Citation: FBI Salesforce Data Theft SEP 2025)(Citation: Google Salesforce JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "During [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059), threat actors used compromised credentials for lateral movement.(Citation: FBI Salesforce Data Theft SEP 2025)(Citation: Google Salesforce JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Salesforce Data Exfiltration", "color": "#66b1ff"}]}