The Com's Social Engineering of Salesforce App Authorizations: A Harbinger of Future Threats
The threat group 'The Com' is exploiting Salesforce app authorization abuse through social engineering, targeting tenants for data theft and extortion.
The Risky Business podcast #795 highlights a concerning new attack vector: the threat group known as 'The Com' is systematically compromising Salesforce tenants through social engineering and app authorization abuse. This technique, which exploits the trust inherent in third-party integrations, is described as a harbinger of future cybersecurity problems.
The attack works by tricking users into granting OAuth permissions to malicious applications that appear legitimate. Once authorized, these apps can access sensitive Salesforce data, including customer records, financial information, and internal communications. The Com then uses this access for data theft and extortion, threatening to leak stolen data unless a ransom is paid.
Salesforce is a widely used customer relationship management platform, and its extensive ecosystem of third-party apps makes it a prime target. The abuse of app authorizations is particularly dangerous because it bypasses traditional security controls like multi-factor authentication and network segmentation. Attackers don't need to compromise credentials or exploit vulnerabilities; they simply need a user to click 'Allow'.
This incident underscores a broader trend: attackers are increasingly targeting identity and authorization mechanisms rather than technical vulnerabilities. The Com's success with Salesforce could inspire copycat attacks against other platforms that rely on OAuth and app integrations, such as Microsoft 365, Slack, and Google Workspace.
Organizations are advised to review their connected apps regularly, enforce strict policies for app authorization, and educate users about the risks of granting permissions. Security teams should also monitor for unusual OAuth activity and implement conditional access policies to limit the damage from compromised tokens.
The podcast also covers other notable stories, including iVerify's evidence of zero-click iOS exploitation possibly targeting the Harris-Walz campaign, and Qualcomm patching three zero-days exploited in the wild. However, the Salesforce attack stands out as a novel and concerning development in social engineering.