The recent Salesloft–Drift breach, attributed to the threat actor UNC6395, has quickly become one of the most impactful SaaS supply chain compromises of 2025. This incident demonstrates how attackers exploit the invisible trust relationships between SaaS platforms to move laterally and exfiltrate sensitive data. At Black Swamp InfoSec, we’re unpacking this event through the lens of the Cyber Kill Chain to highlight key lessons for SMBs, enterprises, and security leaders.
What Happened in the Salesloft–Drift Breach?
Between March and June 2025, attackers compromised Salesloft’s GitHub repositories, inserting malicious workflows and persistence mechanisms. This foothold allowed them to target Drift, a conversational marketing platform with deep integrations into enterprise ecosystems like Salesforce, Google Workspace, and Slack.
By stealing OAuth and refresh tokens, the attackers bypassed traditional defenses like passwords and MFA, gaining seamless access into connected environments. From August 8–18, they executed reconnaissance queries in Salesforce instances, exfiltrating sensitive data such as:
- AWS keys and Snowflake tokens
- Customer contacts and support case details
- Passwords and other credentials
Hundreds of organizations were impacted, including high-profile names like Cloudflare, Zscaler, and Palo Alto Networks.
The Cyber Kill Chain Applied
Using Lockheed Martin’s Cyber Kill Chain model, here’s how UNC6395 executed the attack:
1. Reconnaissance
UNC6395 began by mapping the SaaS ecosystem, looking for third-party services that had broad and trusted access. Drift became the prime target due to its deep integration with Salesforce and other enterprise systems. The attackers also probed GitHub activity to identify weak credentials, API tokens, or workflows that could be exploited. For SMBs, this stage often goes unnoticed because it doesn’t trigger obvious alerts.
2. Weaponization
Once Salesloft’s GitHub environment was compromised, the attackers weaponized their access. They inserted malicious workflows and backdoors into repositories, ensuring that even legitimate development or integration activity could later be exploited. The “weapon” here wasn’t malware in the traditional sense, it was the manipulation of trusted automation pipelines.
3. Delivery
Instead of spear-phishing or direct malware injection, UNC6395 delivered its attack through OAuth integrations. The OAuth tokens acted as the delivery mechanism, granting access without triggering password prompts or MFA challenges. This highlights how SaaS identity and trust relationships can be turned against us.
4. Exploitation
The stolen OAuth and refresh tokens were then exploited to authenticate into Drift and connected platforms like Salesforce, Slack, and Google Workspace. By abusing the very protocols designed to enable frictionless access, the attackers sidestepped traditional intrusion detection systems. Exploitation in this case was silent and invisible, making it far more dangerous than a typical vulnerability exploit.
5. Installation
Persistence was achieved by creating guest accounts and leaving behind malicious GitHub workflows. This ensured that even if credentials were rotated or some suspicious activity was detected, UNC6395 could re-establish access. Installation here looked less like malware on a device and more like strategic footholds across cloud platforms.
6. Command & Control (C2)
With persistence in place, the attackers executed stealthy queries against Salesforce instances between August 8–18. They used legitimate Salesforce query functions (SOQL queries) to enumerate accounts, users, and cases. To maintain C2, they leveraged the normal communication paths of SaaS APIs, blending in perfectly with regular business traffic. Importantly, they later deleted query job logs to cover their tracks, complicating forensic efforts.
7. Actions on Objectives
Finally, UNC6395 achieved its mission: data exfiltration. They siphoned off sensitive credentials (AWS keys, Snowflake tokens, passwords), as well as customer support case details and contact information. With these assets, attackers can not only monetize data directly but also pivot into broader attacks against victim organizations, including ransomware or supply chain compromises of their own.
Business Implications
This breach underscores several critical realities:
1. Supply Chain Risk is Real
The compromise wasn’t in Salesforce or Google, it was in a trusted integration partner. Businesses that rely heavily on SaaS platforms are only as secure as the weakest vendor in their supply chain.
2. Regulatory Exposure
The theft of customer data, credentials, and PII triggers regulatory obligations. Depending on jurisdiction, companies may face GDPR fines, state attorney general actions, SEC scrutiny, or FTC enforcement. Even smaller firms could be swept up if they process regulated data through compromised SaaS tools.
3. Reputational Fallout
When household names like Cloudflare and Palo Alto Networks are listed among the victims, trust across the ecosystem takes a hit. Customers may question a company’s vendor due diligence and data security practices. For smaller businesses, one public breach can be an existential reputational crisis.
4. Operational Disruption
The attack wasn’t just about data theft. By stealing keys and tokens, attackers could potentially manipulate workflows, disrupt sales pipelines, or interfere with customer communications. For SMBs, losing access to Salesforce or Google Workspace for even a few days can halt revenue.
5. Board-Level Priority
SaaS supply chain security has to become an enterprise risk management topic. Boards and executives must demand visibility into how SaaS vendors are selected, secured, and monitored. It’s not just an IT issue anymore, it’s a governance issue.
6. Financial and Insurance Impact
Cyber insurance carriers are increasingly wary of supply chain risks. Companies may see higher premiums, coverage limitations, or outright denials of claims related to SaaS vendor breaches. For firms without insurance, the costs of remediation, legal defense, and customer notifications could be devastating.
Lessons for SMBs
While headlines focus on Fortune 500 victims, SMBs face unique risks, and often have fewer resources to respond. Here are key lessons:
1. Revoke & Rotate Tokens
Immediately revoke and rotate OAuth tokens and API keys tied to Drift, Salesloft, or other SaaS integrations. Treat every credential as potentially compromised.
2. Audit SaaS Integrations
Make a list of every SaaS tool connected to your core systems (CRM, email, finance). Remove unnecessary integrations and ensure those that remain follow the principle of least privilege.
3. Monitor SaaS Logs
SMBs rarely monitor SaaS logs, but this breach proves it’s essential. Even if attackers delete some traces, monitoring API usage, login patterns, and unusual queries can reveal suspicious activity.
4. Ask Vendors Hard Questions
Don’t assume SaaS providers are secure just because they’re big names. Ask about SOC 2 reports, token management practices, and incident response readiness.
5. Adopt a Zero Trust Mindset
Even for SMBs, zero trust principles apply. Don’t grant blanket trust to integrations. Segment access, enforce least privilege, and monitor continuously.
6. Invest in Incident Response Planning
Have a playbook for what to do if a SaaS vendor is breached. Who will you call? How will you communicate with customers? Planning ahead can save days of chaos.
Conclusion
The Salesloft–Drift breach (UNC6395) is a textbook case of how the Cyber Kill Chain can play out entirely within SaaS environments. For SMBs and enterprises alike, this is a reminder that invisible trust can be the biggest vulnerability of all. Proactive monitoring, strong vendor risk management, and strict OAuth governance are now table stakes for survival in the modern SaaS landscape.
