As Salesforce continues to evolve into a critical system of record for organizations, so too does its appeal to cybercriminals. From phishing attacks to insider threats, the techniques used to breach cloud environments are increasingly sophisticated and targeted.
Two security frameworks — the Cyber Kill Chain and the MITRE ATT&CK® Framework — offer valuable perspectives on understanding and disrupting these threats. While originally developed for more generalised enterprise threats, both can be adapted to enhance how we defend Salesforce ecosystems.
In this post, we’ll break down each framework, show how they work together, and explore their practical application in securing Salesforce environments with the help of WithSecure Cloud Protection.
Understanding the threat landscape in Salesforce
Salesforce is a rich target for attackers. It holds sensitive customer data, financial records, business logic, and integration points with dozens of third-party systems. Attackers often aim to:
- Exfiltrate sensitive data
- Move laterally within connected cloud apps
- Exploit overly permissive access rights
Despite Salesforce’s strong baseline security features, many threats emerge from user error, misconfiguration, or gaps in third-party integrations.
What is the Cyber Kill Chain?
The MITRE Att&ck Framework is a knowledge base of adversary tactics, techniques, and procedures Originally developed by Lockheed Martin, the Cyber Kill Chain outlines seven steps commonly followed by attackers:
- Reconnaissance – Identify targets and gather intelligence
- Weaponization – Develop malware or phishing payloads
- Delivery – Transmit the malicious payload
- Exploitation – Trigger the attack within the target environment
- Installation – Establish a foothold (e.g. through malware)
- Command and Control (C2) – Connect with external servers to control the attack
- Actions on Objectives – Execute final goals such as data theft or system disruption
In the context of Salesforce, these steps might include crafting fake support portals, exploiting API access, or using spear-phishing to hijack user credentials.
Inside the MITRE ATT&CK framework
MITRE ATT&CK is a globally accessible knowledge base of adversary behaviour, based on real-world observations. Unlike the sequential Kill Chain, MITRE ATT&CK categorises attacker behaviour into tactics (the goals) and techniques (how goals are achieved).
Relevant Salesforce-related examples include:
- Credential Access: Phishing users to steal session tokens
- Initial Access: Exploiting OAuth apps or misconfigured sharing rules
- Defense Evasion: Hiding malicious payloads in files or using password-protected ZIPs
MITRE ATT&CK is particularly powerful when applied to SaaS environments, because it helps teams identify where threats may be hiding even if they don’t follow a linear path.
How these frameworks complement each other
While the Cyber Kill Chain gives you a high-level view of the attack lifecycle, MITRE ATT&CK zooms in on specific behaviours at each stage. Combined, they offer:
- A strategic view of how attacks unfold (Kill Chain)
- A tactical playbook of how adversaries behave (MITRE)
Security teams can use both to:
- Proactively detect early-stage threats
- Improve incident response workflows
- Guide investments in prevention and detection tooling
Applying the Kill Chain and MITRE to Salesforce Security
Here’s how a Salesforce-specific attack might play out:
- Reconnaissance (Kill Chain) + Gather Victim Identity Information (MITRE) – Attackers profile employees on LinkedIn.
- Delivery + Phishing – A fake support email lures users to a malicious login page.
- Exploitation + Valid Accounts – Stolen credentials are used to access Salesforce.
- Installation + Malicious Files – A payload is uploaded via Chatter or a third-party integration.
- Actions on Objectives + Data Staged – Sensitive records are queried and exfiltrated.
By understanding both the steps and the specific techniques, defenders can build layered detections and security controls.
How WithSecure Cloud Protection for Salesforce fits In
WithSecure Cloud Protection for Salesforce is designed to close the visibility gap in Salesforce environments by addressing multiple stages of the Kill Chain and dozens of MITRE techniques:
- Real-time file and link scanning blocks malware at delivery and installation phases
- Deep visibility into threat context aids in rapid detection and response
- Behaviour-based detections help uncover techniques like command-and-control or lateral movement
All of this happens natively within the Salesforce platform, without impacting performance or user experience.
The combination of the Cyber Kill Chain and the MITRE ATT&CK framework offers a powerful lens through which to view modern threats targeting Salesforce. While the cloud environment changes how attacks unfold, the principles behind these frameworks remain highly relevant.
By applying these models and partnering with solutions like WithSecure Cloud Protection, organizations can go beyond passive defense — and actively disrupt attackers before damage is done.
Explore more: