Hackers Impersonate IT Staff to Breach Salesforce Accounts

A hacking group linked to the loosely organised “Com” collective has targeted at least 20 companies in the US and Europe by impersonating IT personnel to steal data from Salesforce accounts, according to Google’s threat intelligence team.

The attackers used social engineering techniques—calling employees and posing as IT support—to trick victims into handing over credentials or connecting malicious apps to their Salesforce portals.

The attackers' strategy involved guiding victims to Salesforce's connected app setup page, where they authorised the rogue application, often disguised under names like "My Ticket Portal."

This maneuver allowed the threat actors to exfiltrate data not only from Salesforce but also from other integrated platforms such as Okta and Microsoft 365.

Google’s report, released Wednesday, said some companies received extortion demands months after the data theft.

The group did not exploit vulnerabilities in Salesforce software but relied instead on manipulating users.

Salesforce confirmed no inherent flaw in its systems and warned users about voice phishing attacks in a March advisory.

While the group has primarily targeted retail firms, other industries have also been affected.

Google did not name specific victims, though recent cyberattacks have hit major retailers including Marks & Spencer, Adidas, and Victoria’s Secret.