Seqrite Uncovers Global Vishing Based Cyberattack Exposing Business Data and Highlighting Urgent Need for Stronger Cyber Security Measures

Cybersecurity researchers at Seqrite, Quick Heal Technologies' enterprise unit, have released shocking details about a sophisticated cyberattack that attacked Google's corporate Salesforce instance in June 2025.This massive vishing-extortion campaign exposed sensitive client data from small and medium-sized organizations, raising new concerns about how effortlessly hackers can bypass even sophisticated protection systems.

The attack was carried out by UNC6040, a group linked with the well-known cybercriminal network ShinyHunters.This instance is particularly alarming because attackers used social engineering to trick people rather than just hacking into systems.In this case, they impersonated Google's IT professionals and used convincing phone calls, known as voice phishing or vishing, to convince an employee to accept a malicious Salesforce-connected app. Once access was granted, the attackers utilized custom scripts to extract large amounts of data, including business names, emails, phone numbers, and client notes.

To stay untraceable, the hackers used VPN tools with the TOR network (a system that hides a user’s identity online by routing internet traffic through multiple anonymous servers). Seqrite's research demonstrates that this was not an isolated incidence.The same campaign targeted big brands such as Adidas, Qantas, Allianz Life, Chanel, Cisco, and many more. Another linked attack on Salesloft Drift, according to UNC6395, exposed hundreds of Salesforce customers by obtaining OAuth tokens and doing unauthorized database queries.

Seqrite's analysis discovered that UNC6040 and UNC6240 have links to "The Com," a group of teenage cybercriminals who engage in SIM swapping and cryptocurrency theft, frequently recruiting through social media and gaming. The attack also exposed severe cloud security issues, demonstrating that even low-value Salesforce data can be used for phishing and fraud, with hackers utilizing fake domains to blend malicious traffic with genuine OAuth sessions and avoid detection.

What's more troubling is that ShinyHunters intend to launch "ShinySP1D3R," a ransomware-as-a-service service, demonstrating how swiftly cybercriminals' techniques are evolving. To combat such threats, Seqrite emphasizes the importance of stronger security practices such as monitoring unusual login attempts from unknown IP addresses, requiring strict admin approval for OAuth applications, using caller-ID verification and voice analytics to detect social engineering attempts, and employing behavioral analytics to detect suspicious activity hidden within normal traffic.

This case is an important reminder that cyberattacks are no longer limited to technological hacks. Scammers can hack even the most sophisticated systems by exploiting human psychology. Businesses of all sizes must invest in cybersecurity awareness, enhanced identity verification, and proactive monitoring to avoid financial loss, reputational damage, and long-term trust difficulties.

Information referenced in this article is from ET CISO