When mobile reps became an unexpected attack vector, a leading manufacturing firm needed help to close the gap.

When most people think about Salesforce security, they focus on access controls, user permissions, or app integrations. But in industries like manufacturing, the real risks often hide inside the workflows themselves.

One of our largest customers operates across multiple industrial and construction sites. Their Salesforce environment is a critical system, used daily by hundreds of mobile field reps visiting construction zones, factories, and customer facilities. These reps use Salesforce on tablets or phones (often personal or temporary work-issued devices) to:

• Upload site photos and equipment images
• Send and receive customer agreements
• Share inspection documents
• Communicate with internal teams

This is exactly what Salesforce Field Service is built for: fast, flexible, on-the-ground engagement. And with Salesforce Agentforce introducing generative AI features, productivity is only accelerating. But so is the attack surface.

The hidden threat: Files from the field

This customer’s security team didn’t come to us looking for a Salesforce plugin. Their concern began with one simple, urgent question:

“How do we make sure files coming in from the field aren’t putting us at risk?”

Under the Shared Responsibility Model, Salesforce secures its infrastructure, but ensuring uploaded files are safe is up to the customer. And that’s where things got risky. The reps were uploading more than just notes. We’re talking about:

• PDFs and Excel files
• CAD drawings
• Scanned contracts
• High-resolution images and videos

Many of these uploads came from unmanaged, personally owned, or third-party devices with unknown security standards. Once in Salesforce, those files were shared across legal, procurement, and other departments—making it easy for malware to propagate silently through the organization.

From pain point to protection

Rather than jumping to a product pitch, we started by mapping the real-world risks:

• Mobile reps using unmanaged or temporary devices
• A daily flow of rich, unverified content into Salesforce
• No visibility into file safety at the point of entry
• Agentforce likely increasing this content stream
• Internal risk from lateral movement of threats

The solution? A native security layer inside Salesforce itself.

By scanning every file upload and download in real time—within the Salesforce environment—they were able to:

• Close the file security gap without slowing reps down
• Extend protection to devices outside IT’s control
• Support audit and compliance even with third-party contributors

Best of all, the fix didn’t disrupt the workflow. Reps kept using Salesforce as usual. No new apps. No retraining. Just fast, invisible protection—average scan time under a second.

Why this matters for manufacturing

This isn’t just one company’s story. We’re seeing the same challenge across manufacturing, logistics, and construction—anywhere mobile or contract-based workforces rely on Salesforce. These environments often involve:

• Temporary labor and outsourced contractors
• Mobile uploads from remote job sites
• Complex document workflows spanning departments

Unchecked, these uploads can bypass traditional perimeter defenses. That’s why embedding security inside Salesforce—where the files actually land—is essential.

Bigger than one customer

Sometimes, the vulnerability isn’t in the code. It’s in how legitimate users interact with powerful tools. A mobile workforce, doing their job, can unintentionally open doors to attack. That’s why security has to follow the workflow—not the other way around.

In this case, that mindset led to one of our most impactful deployments—and a safer, smarter way to support sales teams in the field.

Curious if something similar is happening in your Salesforce environment?

ABC News Australia, a national broadcaster, recently revealed a large-scale malware operation that stole credentials from employees and customers of several top-tier Australian banks.

While this breach did not involve Salesforce directly, the methods used should raise red flags for any organization relying on cloud-based platforms like it. Credential theft and session hijacking—whether targeting banking portals, CRM systems, or collaboration tools—are part of a broader trend in cybercrime that exploits the weakest link: end users.

If Salesforce is your organization’s central hub for customer interactions, service, or internal operations, this kind of attack offers a clear warning. It’s not about whether your platform was the entry point—it’s about how easily attackers can pivot into cloud environments using valid credentials.

What the credential theft malware attack revealed

The malware campaign, believed to be operated out of Eastern Europe, compromised over 60,000 devices in Australia, including thousands of employee and customer endpoints linked to major financial institutions.

Key facts:

• Malware captured login credentials, cookies, and session tokens.
• At least 250 employee devices from major banks were affected.
• Customer banking credentials and multi-factor authentication bypass data were harvested.
• The stolen information was sold on dark web marketplaces, ready to be used for account takeovers, phishing campaigns, and lateral movement into connected platforms.

Why Salesforce security is at risk from credential theft

Even though this wasn’t explicitly a Salesforce-linked attack, and if your organization wasn’t directly impacted, there are some key lessons here for those responsible for securing Salesforce environments:

Your users are the new attack surface.

This campaign didn’t exploit system vulnerabilities—it targeted individual users. When attackers obtain valid login details, especially those that can bypass security checks, they can gain access to cloud platforms like Salesforce with little resistance. This breach involving stolen Jira credentials shows just how easily attackers can pivot into connected platforms like Salesforce using legitimate access.

Credential dumps enable targeted phishing and impersonation.

Once user data is exposed, attackers often move quickly—crafting convincing messages, impersonating employees, and targeting systems that trust those identities.

Think it couldn’t happen in Salesforce? think again

Salesforce is one of the most trusted enterprise platforms in the world; however, like any cloud service, it operates on a shared responsibility model. Salesforce secures the infrastructure, while you are responsible for your data, users, and access controls.

• Malware on an endpoint device, such as on a user’s laptop, can still compromise Salesforce session tokens or browser credentials.
• API integrations and third-party apps can be exploited if access controls are too permissive.
• Threats such as phishing links and harmful file uploads can still bypass native protections, particularly in tools like Salesforce Experience, Service Cloud, or Email-to-Case, Web-tO-case, real-time Agentforce conversations, and messaging solutions connected to Salesforce.

How to strengthen Salesforce security against credential-based attacks

This incident is a wake-up call for organizations relying on Salesforce. Fortunately, you can take practical steps now to reduce your exposure.

Harden access and session controls

• Watch for unusual login patterns—even those from recognised users.
• Apply the principle of least privilege to user roles and access.

Inspect what your users upload or click

• Malicious attachments and phishing links can be injected into Salesforce records.
• Native platform defenses don’t always catch modern threats – use advanced scanning tools that analyze content in real time.

Protect beyond the login screen

• Threat actors don’t need to “break in” when they can walk in with valid credentials.
• Invest in behavior-based threat detection to spot suspicious activity inside the platform.
• Identity Protection tools will help you quickly identify users with stolen credentials and take action.

Why endpoint security isn’t enough for Salesforce protection

As this breach shows, once an attacker has valid credentials or hijacks a session, traditional defences often fall short, especially when malicious content is introduced after login, via uploads, links, or third-party integrations.

To reduce risk within Salesforce, security controls must extend beyond the perimeter. They need to work inside the platform—scanning for threats, detecting unusual activity, and protecting the areas where attackers are most likely to strike.

Importantly, these protections must function within the Salesforce environment, not merely at the perimeter or endpoint. Many security strategies overlook this gap, where risk quietly accumulates.

Malware doesn’t stop at endpoints – and neither should your security. When attackers access credentials and session data, any cloud service in your stack, including Salesforce, becomes a target. The recent breach should be a stark reminder: you can’t afford to treat Salesforce security as an afterthought.

This latest breach is a reminder: the threat is already in motion. The question is—how prepared are you?

Let’s talk about something that matters to everyone using Salesforce – security. Not the dry, technical stuff (though we’ll touch on that), but the real-world implications of how we protect data in Salesforce today.

Remember when Salesforce first showed up 25+ years ago? They weren’t just selling software—they were asking businesses to do something radical: “Hey, trust us with your customer data on this internet thing.” Pretty bold ask back then!

That fundamental need for trust hasn’t changed. If anything, it’s become more critical as more of our business lives move to the cloud. Ensure you are deploying only enterprise-grade and certified solutions.

Navigating the regulatory maze

The regulatory landscape has gotten… complicated, to put it mildly. While there aren’t many cloud-specific regulations, we’re all feeling the impact of GDPR, CCPA, Australia’s Privacy Act, and similar laws worldwide.

What’s interesting is how these regulations are actually driving innovation. Cloud providers are constantly evolving their offerings to meet higher standards, from data residency options to local data centers to better cross-border transfer solutions.

Also, make sure your cybersecurity vendor is certified with excellence by the ones that matter, like ISO27001 and ISAE300 Type 2 (SOC2 Type 2).

Being resilient when (not if) things go wrong

Let’s be real—cyber incidents will happen. The question isn’t if, but when. That’s why cyber resilience matters so much.

Being resilient means you can keep your business running even when facing cyber problems. It’s about preparing beforehand, detecting issues quickly, responding effectively, recovering smoothly, and adapting for next time.

And make sure your cyber security solutions provide full visibility of the content activity within your cloud solutions – without that you are flying blind when the proverbial hits the fan.

Who’s responsible for what? The cloud security dance

One of the biggest misunderstandings in cloud security is who handles what. It’s a partnership, not a handoff:

• Salesforce handles the security OF the cloud (infrastructure, data centers, platform security)
• You handle security IN the cloud (user access, configurations, data, malware, and phishing protection)

The problem? Many organizations think moving to the cloud means transferring all security responsibilities to the provider. Not true! And this misunderstanding creates dangerous security gaps.

Even more frustrating, many organizations aren’t using the security features they’re already paying for. Tools like event monitoring, encryption options, malware and phishing scanning options, and log analysis often sit unused.

AI: Double-edged sword

AI is changing everything in the security world. On one hand, it’s giving security teams superpowers—helping them detect threats faster, respond more accurately, and cover more ground with fewer people. And cyber security companies like us have only expanded the usage of AI since we started automated analysis in 2006.

But there’s a flip side:

• AI can amplify biases from training data
• Data privacy becomes trickier when large datasets are involved
• Attackers can fool AI systems with adversarial techniques
• Deepfakes make verification harder than ever
• Ethical questions emerge when AI makes important decisions

The key is finding the balance—leveraging AI’s benefits while carefully managing these risks.

Different industries, different challenges

If you’re in financial services, healthcare, or the public sector, you know the compliance burden is especially heavy. Each region has its own requirements, too—Australia has IRAP, the US has FedRAMP, Germany has C5, and Japan has ISMAP.

Interestingly, these highly regulated industries also see more “shadow AI” use, where employees bypass official channels to use productivity-enhancing AI tools. This highlights why clear policies and education are so important.

Getting CRM and security teams on the same page

Here’s something that happens all too often: CRM teams plan and implement Salesforce without bringing security experts in early enough. By the time security gets involved, major decisions are already locked in.

The better approach? Involve security from day one of planning. Help them understand what data you’re storing, what business processes you’re supporting, how your community is interacting, and how everything connects.

This partnership approach builds security in from the start rather than bolting it on later. Typically, when you open your Salesforce to external communities, the threat level jumps through the roof.

What this all means for you

The bottom line is that securing Salesforce today requires understanding that it’s a shared responsibility. It means being prepared for incidents rather than just trying to prevent them. And it requires thoughtful governance around new technologies like AI.

The organizations that get this right aren’t necessarily the ones spending the most money. They’re the ones fostering collaboration between business, security teams, and cybersecurity vendors, making full use of existing security features, and staying adaptable as the landscape continues to evolve.

What security challenges are you facing with your Salesforce implementation? The conversation is just beginning.

Take a look at the fireside chat I had with Chetan Sansare, Senior Director Security and Regulatory Compliance APAC and Gayan Benedict, CTO (ANZ), Salesforce for an even deeper dive.

Let’s be clear – when Salesforce becomes your digital front door, your responsibility doesn’t end at deployment. That’s where it begins.

The security responsibility is yours (and Salesforce’s)

There’s a persistent myth: “Salesforce handles all the security stuff.” This isn’t the case.

Yes, Salesforce provides world-class infrastructure – the data centers, the failover systems, the platform fundamentals. But everything inside your org? The users, custom apps, and most importantly, your data? That’s entirely your responsibility.

If someone uploads malicious content or a team member accidentally nukes a critical dataset, Salesforce isn’t swooping in to save the day. You need your own safety nets.

That’s exactly why we created WithSecure Cloud Protection for Salesforce back in 2015. We couldn’t find a native solution to scan incoming files and URLs from Experience Cloud users, so we built one ourselves. Today, hundreds of organizations rely on it for real-time protection.

The hidden danger: unstructured data

One of the biggest blind spots is unstructured data – all those files, images, and links coming in through portals, forms, chat interfaces, and partner connections. These are malware superhighways.

Agentforce only amplifies this risk. It’s designed to respond quickly by drawing from multiple data sources. If that data isn’t properly scanned and secured, you’re essentially building a high-speed highway to your most sensitive information.

Our solution scans files and links in under a second, and that timing matters. Agentforce needs to respond in about 1.5 seconds to meet user expectations. If your security can’t keep pace, it becomes either a bottleneck or something teams will work around (which is even worse).

Backup isn’t enough (but It’s a start)

Let’s talk about what actually happens when things go wrong. In my experience, data loss rarely comes from dramatic hacks. It’s usually something mundane: a cleanup job gone sideways, a picklist error, or a field mismatch that cascades across thousands of records.

When that happens, you need more than just a backup – you need precision recovery. You need to know exactly what changed, what needs fixing, and which data is valid.

And as your org grows? Performance starts to suffer. Reports crawl, dashboards lag, and users can’t find what they need. That’s where strategic archiving becomes crucial – keeping your Salesforce instance lean and responsive while preserving historical context that your AI tools need to function effectively.

AI doesn’t have a conscience

Here’s something that keeps me up at night: AI models will happily process whatever data they’re given, including highly regulated or sensitive information. They don’t know any better.

It’s up to us to control what these models see and don’t see. That means implementing data masking, tokenization, and encryption before data even enters the AI pipeline. At WithSecure, we partner with companies like Odaseva to ensure sensitive information stays encrypted end-to-end, never exposed, not even during processing.

This way, you get the intelligence without the regulatory nightmares.

The missing link: collaboration

Want to know a common vulnerability I encounter? It’s not technical – it’s organizational. Salesforce admins and cybersecurity teams simply aren’t talking to each other.

When they do collaborate, magic happens. Risk decreases. Deployment speed increases. Compliance becomes manageable rather than painful.

The best results come when these teams work as one unit – building policies together, selecting tools together, and responding to incidents with a unified approach. Security isn’t a solo act – it’s the ultimate team sport.

What you should do today

If you’re expanding your Salesforce footprint or implementing Agentforce, here’s my practical advice:

Know what’s lurking in your org – If you’ve used Salesforce for years, there’s likely already malware sitting quietly in old files or attachments. A comprehensive scan can identify and remove these threats.

Reassess risk whenever anything changes – New user groups? New data types? New features? Each one brings potential vulnerabilities. Don’t wait for something to break.

Watch those chat interfaces – Agentforce increasingly operates across WhatsApp, Messenger, websites, and more. These are high-risk entry points where unstructured data flows fast and often unfiltered.

Test your recovery plan – Don’t just have backups; run simulations. Test restoration. Create response playbooks. When something goes wrong, you want muscle memory, not panic.

The bottom line

Agentforce is genuinely transformative. It enables faster, smarter, always-on service that customers increasingly expect. But it also significantly increases both the complexity and exposure of your Salesforce environment.

Here’s the good news: you don’t have to choose between innovation and security. With the right tools and partnerships, you can build a Salesforce experience that’s fast, intelligent, and secure by design.

And that’s how you unlock the real value of Agentforce – without risking everything else in the process.

I recently took part in a conversation about this very topic. Take a look below!