Salesloft Drift social-engineering
cyberattack
ThreatReaper AI Security Alert
Alert ID: TR-AI-2025-09-SA-002
Severity: 
High
Category: Third-Party Supply Chain / Social Engineering / Token Theft
Affected Systems: SaaS Integrations, CRM & Support Platforms, OAuth Tokens
Executive Summary (30-second read)
A significant third-party cyberattack targeting Salesloft’s AI-powered Drift application has raised major concerns about OAuth token theft and enhanced social engineering risks. Attackers leveraged stolen authentication tokens from the integration between Drift and Salesforce to move laterally into customer environments and extract data, including business contact and support case information. The compromised data, although not deeply sensitive, amplifies social engineering attack surfaces across multiple organizations. (PYMNTS.com)
What Happened
A fraudster breached Salesloft’s Drift — a marketing SaaS with Salesforce integration — by stealing OAuth and refresh tokens, enabling unauthorized access to some Salesforce customer environments. Several major companies disclosed breaches as a result, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare and Tenable. The stolen information includes business contact details and support case content that could empower attackers to perform highly effective social engineering attacks. (PYMNTS.com)
Source: https://www.pymnts.com/news/security-and-risk/2025/cyberattack-salesloft-drift-raises-concerns-about-social-engineering-attacks/ (PYMNTS.com)
Why This Matters for Enterprises
-
OAuth token theft allowed attackers to impersonate trusted integrations and access customer Salesforce systems without interacting with MFA or typical credentials. (PYMNTS.com)
-
Data used to bolster social engineering campaigns: exposed business contacts, support interactions and configuration context aid attackers in crafting convincing scams. (PYMNTS.com)
-
Enterprises increasingly rely on interconnected SaaS stacks — a breach of one integration can cascade across vendors. (Salesforce Reader)
Industries at Higher Risk:
-
Enterprise SaaS & Cloud Platforms
-
Financial Services & Banking
-
Security Vendors & Managed Service Providers
-
Government & Regulated Entities
Attack Vector Analysis
| Vector | Observed |
|---|---|
| OAuth Token Theft |  |
| Third-Party Supply Chain Compromise | |
| Social Engineering Enablement |  |
| Lateral Access to CRM | |
| Sensitive Personal Data Theft | |
Note: Initial data extracted was largely business contact and support case info, but within Salesforce instances more sensitive data could be present and its full scope is still being assessed. (PYMNTS.com)
Why Traditional Security Failed
-
Identity controls did not flag stolen tokens as suspicious because they originated from valid OAuth contexts.
-
Third-party integration risk is not always included in asset inventory or risk scoring.
-
Social engineering risk scales rapidly once internal business context data is in attacker hands.
-
Human verification alone is insufficient when attackers leverage accurate internal metadata.
How ThreatReaper Mitigates This Risk
ThreatReaper strengthens enterprise AI and SaaS security by:
-
Monitoring and flagging abnormal integration token usage before lateral movement.
-
Policy-based control of third-party SaaS calls to prevent misuse of stolen credentials. -
Risk prioritization for OAuth credential exposure and token rotation urgency. -
Detection of social engineering trigger patterns in automated and human agent contexts. -
Comprehensive logging and audit trails to support threat investigation and compliance.
Control & Compliance Mapping
-
OWASP Top 10 SaaS Supply Chain risk controls
-
NIST Zero Trust Architecture — continuous credential validation
-
ISO 27001 A.12 — operational resilience & secure integration management
-
SOC 2 CC6 — third-party vendor risk oversight
Recommended Actions
-
Immediately revoke and rotate all OAuth & API tokens associated with influenced integrations. (PYMNTS.com)
-
Perform comprehensive audit of connected systems for unauthorized access.
-
Implement stronger SaaS integration governance — limiting permissions and monitoring usage.
-
Elevate social engineering defenses (advanced phishing detection & threat modeling).
-
Enhance runtime monitoring for anomalous access patterns from legitimate integration paths.
ThreatReaper Takeaway
In modern SaaS environments, attack surface extends beyond apps to the trust relationships between them. If your security does not inspect and enforce controls on third-party integrations and tokens in real time, attackers will exploit that blind spot to bypass conventional identity and access controls.
Issued by: ThreatReaper Autonomous AI Security
Contact: [email protected]
Confidential | For Security & Risk Teams
