Salesforce security Archives - WithSecure™ Cloud Protection for Salesforce

Let’s be clear – when Salesforce becomes your digital front door, your responsibility doesn’t end at deployment. That’s where it begins.

The Security Responsibility Is Yours (And Salesforce’s)

There’s a persistent myth: “Salesforce handles all the security stuff.” This isn’t the case.

Yes, Salesforce provides world-class infrastructure – the data centers, the failover systems, the platform fundamentals. But everything inside your org? The users, custom apps, and most importantly, your data? That’s entirely your responsibility.

If someone uploads malicious content or a team member accidentally nukes a critical dataset, Salesforce isn’t swooping in to save the day. You need your own safety nets.

That’s exactly why we created WithSecure Cloud Protection for Salesforce back in 2015. We couldn’t find a native solution to scan incoming files and URLs from Experience Cloud users, so we built one ourselves. Today, hundreds of organizations rely on it for real-time protection.

The Hidden Danger: Unstructured Data

One of the biggest blind spots is unstructured data – all those files, images, and links coming in through portals, forms, chat interfaces, and partner connections. These are malware superhighways.

Agentforce only amplifies this risk. It’s designed to respond quickly by drawing from multiple data sources. If that data isn’t properly scanned and secured, you’re essentially building a high-speed highway to your most sensitive information.

Our solution scans files and links in under a second, and that timing matters. Agentforce needs to respond in about 1.5 seconds to meet user expectations. If your security can’t keep pace, it becomes either a bottleneck or something teams will work around (which is even worse).

Backup Isn’t Enough (But It’s a Start)

Let’s talk about what actually happens when things go wrong. In my experience, data loss rarely comes from dramatic hacks. It’s usually something mundane: a cleanup job gone sideways, a picklist error, or a field mismatch that cascades across thousands of records.

When that happens, you need more than just a backup – you need precision recovery. You need to know exactly what changed, what needs fixing, and which data is valid.

And as your org grows? Performance starts to suffer. Reports crawl, dashboards lag, and users can’t find what they need. That’s where strategic archiving becomes crucial – keeping your Salesforce instance lean and responsive while preserving historical context that your AI tools need to function effectively.

AI Doesn’t Have a Conscience

Here’s something that keeps me up at night: AI models will happily process whatever data they’re given, including highly regulated or sensitive information. They don’t know any better.

It’s up to us to control what these models see and don’t see. That means implementing data masking, tokenization, and encryption before data even enters the AI pipeline. At WithSecure, we partner with companies like Odaseva to ensure sensitive information stays encrypted end-to-end, never exposed, not even during processing.

This way, you get the intelligence without the regulatory nightmares.

The Missing Link: Collaboration

Want to know a common vulnerability I encounter? It’s not technical – it’s organizational. Salesforce admins and cybersecurity teams simply aren’t talking to each other.

When they do collaborate, magic happens. Risk decreases. Deployment speed increases. Compliance becomes manageable rather than painful.

The best results come when these teams work as one unit – building policies together, selecting tools together, and responding to incidents with a unified approach. Security isn’t a solo act – it’s the ultimate team sport.

What You Should Do Today

If you’re expanding your Salesforce footprint or implementing Agentforce, here’s my practical advice:

Know what’s lurking in your org – If you’ve used Salesforce for years, there’s likely already malware sitting quietly in old files or attachments. A comprehensive scan can identify and remove these threats.

Reassess risk whenever anything changes – New user groups? New data types? New features? Each one brings potential vulnerabilities. Don’t wait for something to break.

Watch those chat interfaces – Agentforce increasingly operates across WhatsApp, Messenger, websites, and more. These are high-risk entry points where unstructured data flows fast and often unfiltered.

Test your recovery plan – Don’t just have backups; run simulations. Test restoration. Create response playbooks. When something goes wrong, you want muscle memory, not panic.

The Bottom Line

Agentforce is genuinely transformative. It enables faster, smarter, always-on service that customers increasingly expect. But it also significantly increases both the complexity and exposure of your Salesforce environment.

Here’s the good news: you don’t have to choose between innovation and security. With the right tools and partnerships, you can build a Salesforce experience that’s fast, intelligent, and secure by design.

And that’s how you unlock the real value of Agentforce – without risking everything else in the process.

I recently took part in a conversation about this very topic. Take a look below!
Files are essential to your Salesforce workflows, but they’re also an easy attack vector. Whether it’s contracts uploaded through a customer portal, invoices submitted via Service Cloud, or internal attachments exchanged in agent chats, every file entering your Salesforce environment carries risk.

That’s why choosing the right file security solution for Salesforce isn’t about ticking boxes. You need to ensure you have deep, real-time protection against the full spectrum of file-based cyber threats. This means everything from well-known malware to emerging, never-before-seen zero-day attacks.

Two kinds of file-based threats — and why you need protection against both

Attackers aren’t just reusing the same old tricks. They’re evolving, and often hiding malicious content inside seemingly harmless files like PDFs, Word docs, and image files.

1. Commodity malware
These are widespread threats that security vendors have seen before. This includes viruses, trojans, and ransomware families that have recognizable digital “fingerprints.” Many legacy antivirus products rely on signature-based detection alone, which can be effective here… if you’re lucky and the signature database is up to date.

2. Zero-day and polymorphic malware
These pesky threats are the real problem today. Zero-day malware is completely new, often crafted specifically to bypass traditional detection. Polymorphic malware, meanwhile, mutates its code every time it spreads, evading both basic signature detection and one-time-only scanning. These threats are harder to spot, and can cause real damage before anyone notices.

That’s why a file security solution for Salesforce must go beyond static scanning to get results. And accuracy counts.

Proven protection: AV-TEST award-winning threat detection

When selecting a file security solution for Salesforce, you need assurance that your protection is tested and proven – not theoretical marketing pitches.

That’s exactly what WithSecure delivers. Our advanced malware detection engine, used in WithSecure™ Cloud Protection for Salesforce, is the same core engine behind WithSecure Elements, which earned AV-TEST’s Best Protection Award 2024 after achieving flawless detection results across an entire year of enterprise-grade testing.

Throughout 2024, AV-TEST rigorously evaluated WithSecure Elements across more than 90,000 malware samples as part of its Enterprise Protection Test. The result? A perfect malware detection rate. Not a single threat slipped through. WithSecure effectively blocked every attack and prevented any damage to the test systems.

“This result demonstrates the relentless dedication of WithSecure Intelligence, as well as our R&D and cyber security teams, whose expertise ensures our customers stay protected against both known and emerging threats,” says Paolo Palumbo, VP, W/Intelligence at WithSecure.

This recognition from AV-TEST (which is one of the most trusted independent testing organizations in the cybersecurity industry) offers assurance that WithSecure’s detection capabilities are not only fast and intelligent, but validated in real-world conditions.

For Salesforce customers, this means that WithSecure Cloud Protection for Salesforce brings the same industry-leading protection into your cloud environment — scanning every file that touches your business, from support tickets and partner portals to automated chat workflows.

Whether it’s a known virus or a zero-day threat disguised in a PDF, you can trust WithSecure to stop it before it spreads.

Real-time, multi-layered defense that fits Salesforce

WithSecure Cloud Protection for Salesforce goes far beyond a basic upload-time file scan. It delivers continuous, multi-layer protection at every stage of your Salesforce workflows — from file uploads and downloads to dynamic interactions via forms, support cases, partner portals, Slack, and more.

Here’s how it works:

Multi-layered file analysis engine

Every file is evaluated using a robust stack of detection technologies, including:
- Signature-based scanning for known malware variants
- AI-powered behavioral analysis to detect suspicious patterns and polymorphic malware
- Cloud sandboxing for deep inspection of complex or unknown file types
- Real-time threat intelligence feeds, always up-to-date
This ensures your Salesforce environment is secured against both commodity malware and zero-day threats — no matter where the file comes from or how it’s shared.

Real-time protection at every entry point

WithSecure doesn’t wait to act — it scans files immediately when they’re:
- Uploaded to Salesforce (e.g. via cases, forms, portals, chats)
- Downloaded by users or agents
- Accessed or shared within Agentforce workflows or messaging integrations (e.g. WhatsApp, Slack, Web Chat)
This real-time scanning capability is key in detecting threats like polymorphic malware, which may change form depending on who interacts with it — a major blind spot for conventional AV tools.

Advanced detection of malicious URLs & QR Codes

Files today are more than just files — they’re often delivery vehicles for phishing links or embedded QR codes pointing to malicious sites. WithSecure scans inside documents and images, detecting:
- Malicious links, shortened URLs, redirects
- QR codes embedded within files
- Obfuscated or hidden content
These capabilities are critical in stopping phishing attacks and preventing social engineering threats from reaching your team through Salesforce channels.

Native to Salesforce — not bolted on

Unlike external integrations or API-based workarounds, WithSecure Cloud Protection for Salesforce is a truly Salesforce-native application, meaning:
- No middleware, no added infrastructure
- Deployed directly from AppExchange
- Integrates seamlessly into Salesforce UI, objects, and workflows
- Works with standard and custom objects, Experience Cloud, Sales Cloud, Service Cloud, Government Cloud, omni-channel Agentforce workflows, and more
It’s fast to deploy, easy to configure, and fully aligned with Salesforce’s architecture. Truly native does not equal just an app’s management interface on Salesforce, but the actual way that it is built and integrated.

WithSecure Cloud Protection is already trusted by Fortune 500 companies and public sector organizations worldwide. It meets the highest requirements for security, compliance, and reliability.

File security is the foundational element of Salesforce security

Malicious files are still one of the easiest ways into cloud platforms like Salesforce. It’s also one of the hardest to detect without advanced protection. Without a purpose-built solution, there is no visibility into file-based threats on Salesforce, making incident response and forensics expensive and time-consuming.

WithSecure Cloud Protection for Salesforce uses multi-layered, real-time analysis to detect both commodity malware and elusive zero-day threats. Powered by industry-leading engines and embedded natively in Salesforce, it stops what others miss before it ever reaches your data, workflows, or users.
In a growing spree of targeted cyberattacks, the HELLCAT threat group has breached at least six organizations in just five months by exploiting exposed Jira credentials. Victims include high-profile enterprises like Telefonica, Orange Group, and Jaguar Land Rover (JLR). In the JLR case alone, attackers exfiltrated and leaked over 700 internal documents, including source code, development logs, tracking data, and sensitive employee information.

These weren’t isolated incidents. HELLCAT followed a consistent playbook: targeting Jira for its central role in enterprise operations and its integration into broader ecosystems. The platform often holds architectural plans, API keys, internal communications, and workflow data. Sounds like a goldmine for attackers.

Stolen credentials are the culprit in the cloud

So, what made these attacks possible? It was stolen credentials harvested by infostealer malware, often from external third parties. In one case, Jira credentials belonging to an LG Electronics employee still granted access to JLR’s Jira instance—years after the initial compromise. Those credentials had been exposed for years yet remained valid.

This isn’t a corner case. Credentials compromised – for example in old infostealer campaigns – are still readily available on the dark web. And as long as they work, attackers will continue using them. Many organizations don’t consider these risks in their security plans. This is the case especially when the credentials belong to external users like partners, contractors, or vendors.

The lesson is clear: in cloud environments, access doesn’t end at the walls of your organization.

Breached Jira credentials: The Salesforce parallel

From the attacker’s point of view, Jira is not unique. Salesforce mirrors Jira closely:
- Vast amounts of sensitive data – customer records, contracts, invoices, case files, product roadmaps
- Extensive third-party access – via customer portals, partner users, and even agent automation.
- Central to workflows – tightly integrated with other platforms through APIs and automation, even more than Jira
- Credential risk blind spots – these are ticking time bombs especially for community users and partners outside core IT controls
Salesforce is targeted more and more by sophisticated cyber attacks

Just like Jira, Salesforce is increasingly targeted. Many companies still don’t enforce MFA across all user types. Infostealer dumps are often loaded with credentials tied to cloud accounts, including Salesforce user accounts, which may go unmonitored or unchanged for years. Identity compromise is practically invisible to traditional security layers – until it’s too late.

The HELLCAT breaches aren’t just a Jira credential risk. They’re a SaaS ecosystem wake-up call.

WithSecure helps mitigate identity risks on Salesforce

Salesforce isn’t just a business app or CRM anymore – it’s an infrastructure and a backbone to critical commercial operations. Without proper visibility into identity risk and real-time file and URL-based threats, the door is wide open.

WithSecure Cloud Protection for Salesforce provides:
- Real-time threat scanning of all files and URLs inside Salesforce
- Blocking of phishing links that direct to credential harvesting sites – even when hidden inside files or behind QR codes
- Stopping files that hide malware and ransomware, including infostealers and never-before-seen zero-day threats
- [COMING SOON!] Credential compromise detection to identify at-risk users
Switch roles from an administrator to Salesforce defender

Salesforce customers need to think like defenders, not just administrators. You should treat Salesforce like the critical platform it is. Understand who’s accessing it.

And don’t assume that credentials leaked five years ago aren’t still being exploited today.

Soon, we can help you monitor for credential compromises – especially among external users with our upcoming Identity Protection capabilities.

Trusted by highly regulated Fortune 500 enterprises globally, WithSecure Cloud Protection for Salesforce delivers scalable, quick-to-deploy Salesforce native protection. No added complexity, hindrance to your operations, or impact on your custom workflows. Just award-winning detection capabilities delivered in real-time.

Curious about the upcoming Identity Protection feature? Contact us from the form below.
The future of Agentforce is marked by swift business operations, and constant stream of AI-driven value. More and more AI agents process vast amounts of data, automate customer touch points, and interact across multiple platforms. At the same time, the cyber threat landscape will also be in flux. Here are our key predictions when it comes to cyber threats, and security strategies for adapting to them.

Prediction 1: Agent efficiency drives exponential growth in data volumes

AI agents, like those powered by Agentforce, excel at streamlining workflows, automating routine tasks, and enabling organizations to scale operations. By eliminating artificial restrictions, such as hiding customer service contact forms, businesses can handle significantly more inbound cases.

As a result, the sheer volume of data being processed – both structured and unstructured – will rise dramatically.

With an influx of data, the need for robust, real-time file and URL scanning solution for Agentforce workflows will grow exponentially in the future. Organizations must deploy scalable, efficient threat detection systems like WithSecure™ Cloud Protection for Salesforce to mitigate risks without compromising operational agility.

Prediction 2: New ways of processing and distributing content

In the future, Agentforce agents will manage and distribute files and URLs at an unprecedented scale, both within organizations and externally to customers and partners. Agents may inadvertently share malicious content, amplifying the spread of threats.

The risk of malware and phishing attacks increases as malicious files and URLs spread more freely through automated systems.

Organizations need advanced real-time scanning solutions that proactively detect and neutralize threats. WithSecure’s cloud-native protection layer ensures that files and URLs are scanned immediately as they enter the platform, and again when a user interacts with them. They are effectively neutralized before they can disrupt operations or damage customer trust.

Prediction 3: Integration with collaboration tools expands the attack surface

Agentforce integrates with tools like Slack, WhatsApp, and Salesforce Messaging for In-App and Web (MIAW), facilitating seamless communication. For instance, a recruitment AI agent might share links to candidate portfolios or PDF resumes in Slack channels. However, these conveniences come with risks.

Collaboration tools will become a more prominent vector for malicious content, with harmful files or phishing links reaching large audiences quickly.

To address this, businesses must prioritize centralized security solutions that sit where data is processed and stored – within Salesforce itself. By centralizing protection at the source, organizations can ensure that all files and links handled by Agentforce agents are safe before they reach external platforms.

What does the future of Agentforce look like from the threat landscape’s point of view?

In the grand scheme of things, how does the AI and Agentforce dominant future change the threat landscape? We are already seeing a significant surge in SaaS breaches – +300% year-on-year to be precise. The same growth rate can unfortunately be seen also in malicious content on Salesforce, as detected in the customer environments we protect. SaaS applications, including platforms such as Salesforce, are increasingly targeted by cyber criminals.

If the detection ratio of malicious files and phishing links remains the same or grows, and the volume of unstructured data grows, the risk of a data breach through these agentic workflows becomes a more pressing concern.

GenAI has been seen as a disruptor in cyber threat landscape for a while now with services like FraudGPT rising in popularity. However, GenAI has also become the disrupted. Vulnerabilities of services like DeepSeek and Meta’s Llama make it clear that the same weaknesses apply to AI services as any other software.

Although the future of GenAI and agentic AI has many uncertainties, cyber defenders can prepare and take action.

The good AI vs. bad AI race will keep on going. Defenders should adopt advanced security measures that leverage AI and machine learning to detect threats as fast as the agents operate. At the end of the day AI is fast. Agents are fast. Attacks that leverage AI are fast. Similarly, speed in preventative measures is crucial.

What you can do to secure your Salesforce data in the age of agents
- Adopt real-time scanning: Implement AI-powered solutions like WithSecure™ Cloud Protection for Salesforce to ensure continuous protection for growing data volumes. Secure files and URLs shared via Slack, WhatsApp, and other platforms to reduce exposure.
- Focus on centralized protection: Since agents operate within Salesforce, protecting the Salesforce environment directly is more effective than securing individual endpoints or third-party tools.
- Regularly audit and update data: Maintain clean, accurate, and secure datasets to minimize the risk of inaccuracies in AI-driven workflows.
- Apply the pirinciple of least privilege: Only give agents the access and permissions they require to do their job. Manage access and authentication vigilantly.
- Educate and train teams: Equip users with the knowledge to manage and secure AI-powered operations effectively.
100% Salesforce native threat protection for Agentforce workflows

Agentforce boosts efficiency by automating customer touchpoints, but it also increases exposure to malware and phishing risks through the handling of files and links.

WithSecure™ Cloud Protection for Salesforce addresses these gaps with real-time scanning that integrates natively into Salesforce workflows. By stopping threats at the source, it ensures both AI agents and human users operate safely, preventing disruptions and securing sensitive interactions.

Trusted by highly regulated Fortune 500 enterprises globally, WithSecure Cloud Protection for Salesforce delivers scalable, quick-to-deploy Salesforce native protection. No added complexity, hindrance to your operations, or impact on your custom workflows. You are fully empowered to leverage Agentforce’s potential without compromising the safety of your data.
Unlock productivity without compromising security

Agentforce security – the new security aspect to consider in 2025.

In 2025, agentic AI is expected to take precedence over generative AI. Agentic AI like Salesforce Agentforce enables humans to collaborate with AI agents to enhance customer experiences and create vast digital workforces.

Salesforce Agentforce is transforming how you operate, automating customer touchpoints across sales, service, and marketing. It enables your business to handle vast amounts of data more efficiently than ever before. But with great power comes great responsibility. This surge in unstructured data, like files and URLs, also introduces new risks.

Consequently, Phishing links, malware, and ransomware can sneak into your Salesforce environment through the agent workflows that make your operations seamless. If left unchecked, these threats can disrupt your business, compromise customer trust, and undermine the very efficiencies Agentforce was designed to deliver.

Agentforce data security is your responsibility

Agentforce automates workflows by processing files and URLs uploaded via customer portals, web forms, or shared through collaboration tools like Slack and WhatsApp. While this creates incredible opportunities for productivity, it also amplifies your exposure to cyber risks:
- Phishing links: Agents might unknowingly share malicious URLs, leading to data breaches or credential theft.
- Malware in files: Files uploaded by customers or partners can contain ransomware or other malware.
- Agent-human interactions: As agents transition data to human employees, malicious content can spread across teams or even to external customers.
- Collaboration tools: Links and files shared across platforms like Slack can widen the attack surface, exposing sensitive data or propagating harmful content.
The challenge? Salesforce doesn’t by default scan these Agentforce touch points for cyber threats. According to the Shared Responsibility Model of Cloud Services, it’s your responsibility as the cloud customer to secure the data that goes in and out of the platform. It’s your responsibility whether the data flows through agents or is handled by human users. This covers both how the data handling is configured (like who can access it and how Agents can handle the data on the platform), and what data is allowed to flow through Agentforce workflows (including cyber threats like malicious files).

How to secure Agentforce workflows

This is where WithSecure™ Cloud Protection for Salesforce comes in. Designed to work seamlessly within Salesforce, our solution ensures your workflows remain secure while letting you focus on what matters most: delivering exceptional customer experiences.
- Real-time threat protection: Every file and URL is scanned instantly upon upload, download, or click –blocking malicious content before it poses a risk. How fast? While AI agents respond in an average of 1.5 seconds, our solution detects and neutralizes threats in just 1 second on average.
- Salesforce-native integration: Because our solution is 100% Salesforce native, you get the protection you need without added complexity and vulnerabilities.
- Secure collaboration: Files and URLs shared via tools like email-to-case or web-to-case are checked right at the platform and made secure for both human and agent users.
- Uninterrupted operations: Our real-time protection ensures your agent-powered workflows run smoothly, without disruptions.
Preparing for the future of increased unstructured data volumes on Salesforce

Agentforce is revolutionizing business, and its adoption is only going to grow. As your AI agents process increasing volumes of files and URLs, the need for robust, real-time scanning will only become more critical. WithSecure™ is here to help you stay ahead of these risks.

By securing your workflows, we ensure you can harness the full potential of Agentforce to innovate and grow without compromising the security of your data or the trust of your customers.

Let’s secure your Salesforce for both agents and humans

At WithSecure™, we’re committed to helping you make the most of Salesforce and Agentforce while fulfilling your security responsibilities. Together, we can ensure your agent-powered digital transformation is secure, seamless, and future-ready. If you’d like to learn more about how we can help safeguard your workflows, let’s connect.
Real-life evidence of NRD risks

Cyber attackers use phishing in the majority of data breaches – IBM reports a staggering 41% of all attacks attributed to it, while Deloitte notes that phishing accounts for two in every five attacks. The Anti-Phishing Working Group (APWG) underscores that 77% of phishing domains are specifically registered for malicious purposes. These domains frequently serve as launchpads for extensive phishing and malware attacks, making their scrutiny a critical security practice.

Similarly, Interisle Consulting Group observed that a significant increase in phishing is linked to the use of domain names, with an 85% jump in domains used for cyberattacks.

Research from Palo Alto reinforces these concerns, and indicates that at one point, over 70% of newly registered domains (NRDs) were “malicious,” “suspicious,” or “not safe for work.” This statistic underscores the consistent risk posed by newly established domains over the years.

NRDs are employed not only for phishing but also as vectors for malware distribution and command-and-control operations. Cybercriminals can rapidly register and activate new domains. In response, they can rapidly deploy and evolve their attacks, and bypass traditional detection methods. This creates urgent challenges for cybersecurity defenses in environments like Salesforce.

Why combating phishing on Salesforce is crucial

Phishing attacks pose a significant threat to organizations using Salesforce, exploiting the platform’s extensive functionalities to carry out sophisticated cyberattacks. These threats primarily target human error, using deceptive emails or malicious URLs to manipulate users into divulging confidential information such as login credentials, thereby compromising entire systems.
1. Data integrity and security: Salesforce serves as a repository for vast amounts of sensitive corporate and customer data. Phishing attacks gain unauthorized access to data, causing data breaches that severely damage a company’s reputation and lead to substantial financial losses.
2. User trust and compliance: Customers trust organizations to safeguard their personal information. A successful phishing attack can erode this trust, damage customer relationships, and potentially violate compliance regulations that protect user data.
3. Operational continuity: Phishing attacks disrupt the normal business operations of Salesforce, which leads to downtime and decreased productivity.
Proactive NRD blocking is the simplest and the most effective strategy

Managing NRD threats effectively requires a combination of technology and strategy tailored to an organization’s specific risk tolerance. Although user awareness is important, no Salesforce user should be expected to act as a phishing detective. Enterprises with low risk tolerance should proactively block NRDs from interacting with their Salesforce systems.. By utilizing real-time intelligence, WithSecure Cloud Protection for Salesforce empowers organizations to selectively block NRDs. The solution analyzes the domain’s age. Customers can configure settings to block domains registered within recent time frames, including 7, 14, 30, 60, or 90 days.

Incident response insights

Our incident response team has identified attacks on Salesforce environments where NRDs were a factor. These observations have reinforced the need for robust NRD management and influenced the development of product features that meet the stringent compliance requirements of many enterprise customers. These customers often mandate that newly created domains should not gain access to their Salesforce platforms.

“Many enterprises, particularly financial institutions, have stringent requirements. For instance, they mandate that domains less than 32 days old are not allowed on their network or platform ,” Anssi Korpilaakso, Director of Business Operations at WithSecure Cloud Protection for Salesforce, concludes.

The problem calls for systemic intervention

To curb the misuse of newly registered domains (NRDs) in cyberattacks more effectively, authorities need to take broader regulatory actions instead of merely placing the responsibility for risk management on the victims.
- Regulatory oversight: Authorities could impose stricter controls on service providers that disproportionately enable cybercriminals, possibly penalizing those that consistently supply the means for cyberattacks.
- Identity verification: Introducing stringent identity verification or certification requirements for bulk domain registration can prevent misuse by making it harder for cybercriminals to anonymously acquire domains.
- Limiting resources: Restricting the number of accounts and subdomains one can register with free or inexpensive web hosting services could curtail the ability of attackers to proliferate harmful domains.
- Automated monitoring: Deploying automated systems to monitor and screen suspicious registration and usage patterns can preemptively catch potentially malicious activities.
Comprehensive phishing protection – 100% Salesforce-native

WithSecure™ Cloud Protection for Salesforce enhances defenses against URL-based threats, including the risks associated with newly registered domains (NRDs). This constantly updated suite of URL scanning features actively addresses the hidden dangers of malicious URLs within Salesforce.

Stop phishing and url-based threats instantly: URL Protection feature actively guards against phishing and malicious websites. It scans URLs upon upload and when clicked. This real-time scrutiny is crucial for intercepting threats before they impact your system.

Dynamic protection against evolving threats: The nature of URL threats is volatile. A link that was once deemed safe can turn malicious later. Click-Time URL Protection feature dynamically evaluates URLs at the point of access and adapts to the mutating threats.

Block newly registered domains: You can block access to domains based on their registration age. Settings are adjustable from 7 to 90 days old domains. This effectively reduces the risk of falling victim to attacks that are launched from newly established malicious sites.

Comprehensive detection of malicious URLs: The solutions detects and blocks harmful URLs that are within files and behind QR codes. This extends protection beyond visible links in text fields. This comprehensive approach helps thwart hidden malware and phishing attempts encoded within document uploads.

Block shortened URL threats: Shortened URLs, often used for their convenience, can mask dangerous destinations. Our system ensures every link is verified, enhancing security against camouflaged threats that could otherwise bypass detection.

Tailored security for high compliance sectors: We have designed the solution with the needs of highly regulated industries in mind. Robust protection aligns with the stringent security requirements of finance and public sectors.

Concerned about malicious URLs entering your Salesforce environment? Contact our team for a free consultation.
In today’s interconnected enterprise and cloud ecosystem, Salesforce is a powerful, secure platform that offers significant benefits for managing strong, lasting customer relationships. However, Salesforce’s success makes it a target for cybercriminal activity. Now used at over 150,000 enterprises worldwide, Salesforce and your Salesforce customer-related data are prominent marks for bad actors and cybercriminals. Let’s discuss how WithSecure Cloud Protection for Salesforce complements Salesforce for organizations of any size.

Shared Responsibility is the first step towards securing Salesforce

Salesforce follows the Shared Responsibility Model, which emphasizes that security is a joint effort between Salesforce and its customers. Other cloud providers, including Amazon Web Services, Google Cloud, and Microsoft Azure, also utilize this model. Simply stated, the Shared Responsibility Model means the cloud provider is responsible for securing their cloud services and the underlying infrastructure. Customers are responsible for protecting their data, even though it is stored in the cloud environment.

Accordingly, customers must understand what security measures Salesforce does not provide to address these gaps. Recognizing the security limitations of what Salesforce offers is an essential first step in developing a comprehensive security strategy for Salesforce.

Scanning for malware, phishing, spam and ransomware is left to the customer

Salesforce is dedicated to establishing standards in SaaS (software-as-a-service) and being a reliable partner in customer security. To enhance the security of a Salesforce instance, Salesforce offers various recommendations for customers to implement. One of the key suggestions is to use security solutions like WithSecure Cloud Protection for Salesforce, which provides spam filtering and malware protection.

Haven’t we solved the malware problem?

Malware, viruses, spam, trojans, etc., continue to wreak havoc on enterprises. According to the recent IBM Cost of a Data Breach Report 2024, the average cost of a malware attack in 2024 is around $5.24 million globally, up 10 percent from 2023. Specific organizational losses have been much higher when factoring in the additional ransomware costs.

There are many effective server, desktop and mobile scanning solutions to thwart malware. However, the rise of cloud-provided applications has further complicated malware detection because, in the case of Salesforce, documents, files, etc., often legitimately bypass enterprise scanning systems.

When a user uploads a file or attachment to Salesforce, no native file scanning is applied. These documents almost always, by their nature, bypass the normal enterprise-level scanning mechanisms. Further, the lack of automatic scanning allows an external user to attach a malicious file, putting Salesforce data at risk.

Today, enterprises need a broad defense and in-depth approach to thwart these threats and complement Salesforce security.

How WithSecure Cloud Protection for Salesforce works

The WithSecure Cloud Protection for Salesforce solution is the simplest way to stop file, URL and QR code-based cyber threats like malware, ransomware and phishing attacks on your Salesforce cloud. Here is how it works:

1. A user, unwittingly or knowingly, uploads malicious files, attachments, URLs or QR codes to a Salesforce platform. It might be from web forms, partner portals, emails, or third-party applications.

2. WithSecure Cloud Protection for Salesforce intercepts and scans all content entering and leaving Salesforce in real-time for threats using a multi-stage threat analysis process. Content can also be scanned retrospectively on-demand.

3. All data stays in the Salesforce cloud. Only suspicious files that cannot be detected as threats based on global threat intelligence checks are evaluated for a deeper behavioral analysis. The files are sent to the WithSecureSecurity Cloud, where they are analyzed in an isolated sandboxing environment to detect even the stealthiest and most sophisticated cyber threats.

4. When a threat is detected, administrators are automatically alerted. The end-user is advised on what to do next, and further use of the content is prevented.

5. Advanced security analytics with full audit trails speed up the incident response. Relevant data, alerts, and workflows can be easily integrated into SIEM or other centralized security systems.

WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce

WithSecure Cloud Protection for Salesforce is designed to reduce the risk of advanced cyber threats targeting Salesforce. It offers:
- Real-time protection and immediate visibility into your entire environment
- Seamless integration with your customizations and workflows
- Full support for the infrastructure security controls that Salesforce provides
This solution meets the stringent compliance requirements of modern enterprises and critical public sector organizations, making it an excellent choice for enhancing your Salesforce security.

Developed in collaboration with Salesforce, WithSecure Cloud Protection for Salesforce is used and recommended by Salesforce.

To learn more about WithSecure Cloud Protection for Salesforce:
- Learn more about WithSecure Cloud Protection for Salesforce in our newest video, 60 Seconds with WithSecure.
- Take a test drive and read user reviews on Salesforce AppExchange.
- Book a demo to see Cloud Protection for Salesforce live and learn how it can protect your Salesforce instance.
As the risk of cyber-attacks increases, understanding how to protect your Salesforce environment from malware becomes a priority. Salesforce’s approach to securing Salesforce is based on the Shared Responsibility Model (SRM). This model can be somewhat intricate to understand. At its most basic level, Salesforce is responsible for securing its infrastructure and ecosystem. In addition, Salesforce offers several specialized, value-added security solutions, such as Salesforce Shield (for platform encryption, event monitoring, and audit reporting), Salesforce Data Mask (enables admins and developers to mask sensitive data in sandboxes such as personally identifiable information (PII) or sales revenue), and the Salesforce Privacy Center (tools to help manage GDPR and PII governance).

However, under the SRM, Salesforce customers – administrators, architects, security teams, and users – must understand their responsibilities. Customers, for example, are responsible for protecting their data, using the right access controls and permission sets, and securing the objects within Salesforce.

Most importantly, in the area of data protection, Salesforce does not offer capabilities for detecting and preventing malware, ransomware or phishing links. Salesforce encourages customers to form a relationship with vendors, such as WithSecure Cloud Protection for Salesforce, to avoid malware and phishing attacks from occurring within their Salesforce.

How does malicious data get into Salesforce?

Salesforce has evolved extensively since its beginning as a sales automation platform in the 1990s. Today, it is used by over 150,000 organizations globally to manage sales and service organizations and to maintain customer relationship data. Users constantly import, share, store and export data files, attachments, URLs and QR codes associated with customers, partners, community members, and internal employees. Typical use cases for importing and exporting files include email-to-case, web-to-case, and third-party custom apps that allow users to upload documents. Each file and attachment uploaded to Salesforce opens the door to malware exposure, which can quickly propagate across the instance.

Malicious files, URLs and QR codes pose risks to Salesforce customers

The presence of malicious files is on the rise within Salesforce. These files contain or are conduits for ransomware, phishing exploits, viruses, worms, keyloggers, trojans, spyware, adware etc. Between Q2 2023 and Q2 2024, there has been a roughly 400% increase in malicious files found within Salesforce.

URLs and QR codes are increasingly the trigger point for malicious activity. To protect Salesforce users, WithSecure Cloud Protection for Salesforce scans hundreds of thousands of URLs each month. On average, 1.5% of URLs uploaded to Salesforce are malicious. And, that percentage will likely grow in the future.

Case Study: An unprotected Salesforce instance leads to a Ransomware attack

An enterprise organization presented WithSecure Cloud Protection for Salesforce with a particular scenario they had experienced. In this scenario, an attacker leveraged Salesforce to infect the company’s network.

The attacker, posing as a customer, sent an email to the company to steal vital data. The email contained a malicious attachment. The enterprise user who received the email opened the attachment. That triggered a few exploitations, leading to malware that infected the user’s machine and installed a keylogger on the infected device. The attacker gained domain administration access and launched a command-and-control power shuttle script, which deployed ransomware at hundreds of workstations within the company’s local area network.

Had this enterprise been using WithSecure Cloud Protection for Salesforce, the preceding scenario would have been much different. WithSecure’s goal is to stop all attacks within the Salesforce cloud.

WithSecure Cloud Protection for Salesforce scans files and attachments. The following screenshot shows the File Protection Settings screen.
- If malicious content is detected, WithSecure will quarantine the suspicious file attachments in a safe sandbox environment, as shown in the following screenshot.
WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce

WithSecure Cloud Protection for Salesforce is a native application that runs in your Salesforce environment. The app prevents malicious, suspicious and disallowed content from entering your Salesforce environment via files, web links, QR codes and email messages.

WithSecure Cloud Protection for Salesforce focuses on securing Salesforce to mitigate advanced cyber threats on Salesforce. It:
- Provides real-time protection and instant visibility into your entire environment
- Works seamlessly with your customizations and workflows
- Fully complements the infrastructure security controls that Salesforce provides
WithSecure Cloud Protection for Salesforce meets the strict compliance requirements of modern enterprises and critical public sector organizations. It is an ideal choice for enhancing your Salesforce security.

WithSecure Cloud Protection for Salesforce was designed in collaboration with Salesforce.

Get to know WithSecure Cloud Protection for Salesforce, or use the form below to contact our team to discuss your Salesforce security requirements.
Salesforce initially set out to create a sales-focused software app delivered in a revolutionary model: Software-as-a-Service (SaaS). Early versions of the app were modest. It was focused on only sales automation and forecasting. It did not support importing, storing or downloading files or attachments. But, as it grew in popularity, Salesforce grew more sophisticated. Now, it is the world’s leading, preeminent customer relationship management (CRM) service and supports a massive ecosystem including a broad set of internally developed and third-party developed applications.

Files and documents everywhere

Millions of files are uploaded to and exported from Salesforce daily. Administrators, users, executives, etc., interact with forms, templates, reports, email messages, logos, images, etc., for various use cases. Some examples of documents imported/exported from Salesforce include:
- Email templates (for example, to promote a new product that salespeople can customize for their customers).
- Email-to-Case files (Email-to-Case turns customer emails into cases for the support team).
- Documents imported from Salesforce communities.
Some of these files likely contain malicious content from either a malicious user or an unwitting user merely passing along an unvetted file. Further, these documents will usually bypass desktop or server-based virus detection applications. As a result, they represent a threat to the Salesforce instance.

It often comes as a surprise to learn that Salesforce does not include virus or malware scanning for file attachments, documents, URLs or QR codes. Salesforce, like most cloud-based application vendors, follows the Shared Responsibility Model. This model defines that customers are responsible for the security of their data. While Salesforce’s infrastructure security provides an extremely strong foundation, no built-in threat detection exists, as this is the customer’s responsibility. As such, customers must employ tools for malware and phishing attacks.

Users need to take this responsibility seriously. According to Infosecurity Magazine and Proofpoint’s 2024 State of the Phish report, over two-thirds (69%) of organizations experienced a successful ransomware incident in the past year. Malicious files were major contributors.

An example from the Salesforce Trailblazer Community

For example, consider this actual security incident reported to the Salesforce Trailblazer Community:

“We experienced a security breach on one of our Salesforce Orgs the other day, where we use(d) the Email to Case functionality. A file containing malware in a .JS format was attached to a case. A user clicked on it, assuming it is safe to do so, and it wiped out all of her personal files on that laptop, as well as all recently viewed public files.”

Sadly, this customer learned too late about the requirement to fully think through how to secure Salesforce.

Securing Salesforce is always a top priority

Securing and protecting sensitive customer data is critical for the more than 150,000 companies that rely on Salesforce. Salesforce provides industry-leading security for its platform and infrastructure but cannot control customer endpoints. Hence, it is the customer’s responsibility to ensure that those endpoints have up-to-date antivirus protection. As a result, the Salesforce security approach is based on a Shared Responsibility Model. Salesforce relies on third-party partners and vendors to complete and complement the security approach with document and file scanning.

WithSecure™ Cloud Protection for Salesforce

To stay ahead of bad actors, WithSecure Cloud Protection for Salesforce is singularly focused on complementing the Salesforce security stack by providing file and document protection. WithSecure uses advanced threat protection mechanisms and technologies, including AI and cloud sandboxing, to detect, quarantine and neutralize threats in real time. This past year, WithSecure Cloud Protection for Salesforce has forged ahead with industry-leading capabilities to stay ahead of bad actors, including:
- Detecting malicious URLs in files: WithSecure Cloud Protection for Salesforce detects and blocks malicious URLs hidden inside files uploaded to Salesforce.
- Detecting and blocking shortened URL threats: Shortened URLs can mask risky content while bypassing traditional security controls. WithSecure uncovers and blocks these threats, verifying every link, whether shortened for convenience or to mask something more sinister.
- URL protection across custom objects and fields: WithSecure supports URL Protection for Salesforce’s standard and customized objects and fields.
- Detecting malicious QR codes in files: WithSecure now includes QR code scanning to defend against quishing attacks across Salesforce. What is a quishing attack? In a quishing attack, bad actors create a QR code and link it to a malicious website. That QR code is then included in a piece of content, which users unwittingly click on.
- Enhanced files digital fingerprinting: WithSecure sharpens detection accuracy without impacting performance.
Additional Resources
- Learn more about WithSecure Cloud Protection for Salesforce in our newest video, 60 Seconds with WithSecure.
- Take a test drive and read user reviews on Salesforce AppExchange.
- Book a demo to see Cloud Protection for Salesforce live and learn how it can protect your Salesforce instance.
What is DORA?

The Digital Operational Resilience Act (DORA) is a European Union regulation crafted to boost the operational resilience of financial institutions. It ensures they can withstand, respond to, and recover from ICT-related disruptions, including cyberattacks. It mandates rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM). The regulation applies as of 17 January 2025.

What’s the purpose of DORA?

DORA aims to ensure EU financial institutions can effectively manage and mitigate ICT risks, diminish the impact of cyber threats, and sustain business continuity during disruptions.

Who does DORA apply to?

DORA applies to the majority of financial institutions operating in the EU. It covers a broad spectrum of financial entities, such as banks, investment firms, payment service providers, insurance companies, and ICT third-party providers like cloud services that support financial institutions.

DORA’s ICT risk management framework mandates that a firm’s management body bears ultimate responsibility for managing ICT risks, setting and approving the digital operational resilience strategy, and approving policies related to the use of ICT Third Party Providers (TPPs), among other duties.

How does DORA change the current regulatory compliance?

There have been previous guidelines similar to DORA such as 2019 EBA Guidelines on ICT Security and Risk Management and the 2020 EIOPA Guidelines on ICT Security and Governance. However, as DORA is primary legislation, the level of supervisory scrutiny that firms are subject to is now increasing significantly.

Key requirements for financial entities:
- ICT risk management: Financial entities must develop robust governance and control frameworks to manage ICT risks. This includes risk identification, protection measures, system monitoring, and incident recovery.
- Incident reporting: Entities are required to report significant ICT-related incidents to authorities to enhance oversight and facilitate a coordinated sector response.
- Testing and audits: Regular testing, including penetration tests and security audits, is mandatory to identify and address vulnerabilities.
- Third-party risk management: Financial institutions must ensure that third-party ICT providers adhere to equivalent standards, including conducting thorough due diligence for outsourcing critical functions.
DORA compliance and Salesforce security

DORA mandates comprehensive oversight across critical business areas, focusing on firm management’s accountability for ICT risks. It includes crafting a digital operational resilience strategy and managing ICT Third Party Providers (TPPs). Breaches could lead to penalties enforced by competent authorities.

Salesforce is a cloud-based platform that is critical to many financial organizations and their operations. The financial entity will need to ensure that their use of Salesforce complies with DORA’s requirements regarding ICT risk management, third-party oversight, incident reporting, and testing.

As a leading CRM provider, Salesforce has already taken steps to ensure that the platform’s data governance aligns with DORA – along with other data protection regulations. Collaboration with partners like WithSecure™ is part of Salesforce’s commitment to trust and security according to Natalie Pope, Lead Solutions Engineer at Salesforce: “DORA is an important step in elevating our offerings to financial services customers, ensuring data and operational resilience are at the forefront their business goals and company ethos. Our collaboration with partners like WithSecure™ demonstrate Salesforce’s commitment to our number one value of trust, allowing us to offer robust and compliant solutions as part of a trusted digital infrastructure.”

Key actions to secure Salesforce and comply with DORA

New DORA regulation impacts all SaaS products, including Salesforce. When it comes to Salesforce security and risk management, financial institutions should take action in the following areas:
- Set up ongoing auditing practices to continually assess security risk related to Salesforce and other services connected to it. Implement proper security measures to remediate any gaps.
- Develop and refine incident management strategies to ensure prompt detection, reporting and resolution of issues. Implement security measures directly for Salesforce that support your strategy.
- Review and update contracts with ICT providers to meet DORA standards.
In which Salesforce DORA obligations can WithSecure™ Cloud Protection for Salesforce help

WithSecure™ Cloud Protection for Salesforce stops malware and phishing threats on Salesforce in real-time. It helps financial organizations meet their DORA obligations on Salesforce in the following areas:

DORA mandate for incident reporting: “Financial entities shall report major ICT-related incidents to the relevant competent authority”, “Financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authority. In the event that a technical impossibility prevents the submission of the initial notification using the template, financial entities shall notify the competent authority about it via alternative means.” (Chapter 19, Article 1)

DORA mandate for detection capabilities: “Financial entities shall devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks.” (Chapter 2, Article 10)

DORA mandate for incident management: “Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.” (Chapter 17, Article 1)

How WithSecure™ Cloud Protection for Salesforce helps financial organizations meet their DORA obligations

WithSecure™ Cloud Protection for Salesforce helps financial institutions detect anomalies such as malware and phishing threats on Salesforce. It provides real-time monitoring capabilities into cyber threats and incidents across the Salesforce environment. It empowers financial institutions with automated threat remediation capabilities, along with prompt alerts.

WithSecure™ Cloud Protection for Salesforce’s native reporting features support incident reporting to authorities, as mandated by DORA. Reports offer vast details about the threat, who has interacted with it, and when. This not only enables sufficient reporting to authorities, but also speeds up incident management process significantly. Without the reporting tools with full event logs and forensics trails, investigating a malware outbreak is costly and time consuming.

While remediating the immediate threat of malware, solutions like Cloud Security Access Brokers (CASBs) can introduce more risk by adding vulnerable integrations and data flows to the mix. For this reason, we built the natively integrated, minimally vulnerable and simplified AntiVirus and AntiPhishing solution WithSecure™ Cloud Protection for Salesforce. With this simplified and seamless approach, financial institutes can mitigate risk without invertedly adding more in the process. You can deploy the native security layer in minutes and strengthen your compliance instantly.

WithSecure™ Cloud Protection for Salesforce is built with 30+ years of cyber security experience in close collaboration with Salesforce. The solution has achieved ISAE 3000 Type 2 certification (international equivalent to SOC 2 Type 2), and WithSecure™ is ISO 27001 certified, proving the resilience of operations in accordance with DORA’s third-party risk management agenda.

Ensure Salesforce DORA compliance

Protect your Salesforce environment against advanced ransomware and phishing attacks in real-time. Natively integrated WithSecure™ Cloud Protection for Salesforce is up and running in minutes. Comprehensive reporting capabilities help you meet DORA incident reporting requirements.

Get to know the product

The Security Responsibility Is Yours (And Salesforce’s)

The Hidden Danger: Unstructured Data

Backup Isn’t Enough (But It’s a Start)

AI Doesn’t Have a Conscience

The Missing Link: Collaboration

What You Should Do Today

The Bottom Line

Two kinds of file-based threats — and why you need protection against both

Proven protection: AV-TEST award-winning threat detection

Real-time, multi-layered defense that fits Salesforce

Multi-layered file analysis engine

Real-time protection at every entry point

Advanced detection of malicious URLs & QR Codes

Native to Salesforce — not bolted on

File security is the foundational element of Salesforce security

Stolen credentials are the culprit in the cloud

Breached Jira credentials: The Salesforce parallel

Salesforce is targeted more and more by sophisticated cyber attacks

WithSecure helps mitigate identity risks on Salesforce

Switch roles from an administrator to Salesforce defender

Prediction 1: Agent efficiency drives exponential growth in data volumes

Prediction 2: New ways of processing and distributing content

Prediction 3: Integration with collaboration tools expands the attack surface

What does the future of Agentforce look like from the threat landscape’s point of view?

What you can do to secure your Salesforce data in the age of agents

100% Salesforce native threat protection for Agentforce workflows

Unlock productivity without compromising security

Agentforce data security is your responsibility

How to secure Agentforce workflows

Preparing for the future of increased unstructured data volumes on Salesforce

Let’s secure your Salesforce for both agents and humans

Real-life evidence of NRD risks

Why combating phishing on Salesforce is crucial

Proactive NRD blocking is the simplest and the most effective strategy

Incident response insights

The problem calls for systemic intervention

Comprehensive phishing protection – 100% Salesforce-native

Shared Responsibility is the first step towards securing Salesforce

Scanning for malware, phishing, spam and ransomware is left to the customer

Haven’t we solved the malware problem?

How WithSecure Cloud Protection for Salesforce works

WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce

How does malicious data get into Salesforce?

Malicious files, URLs and QR codes pose risks to Salesforce customers

Case Study: An unprotected Salesforce instance leads to a Ransomware attack

WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce

Files and documents everywhere

An example from the Salesforce Trailblazer Community

Securing Salesforce is always a top priority

WithSecure™ Cloud Protection for Salesforce

Additional Resources

What is DORA?

What’s the purpose of DORA?

Who does DORA apply to?

How does DORA change the current regulatory compliance?

Key requirements for financial entities:

DORA compliance and Salesforce security

Key actions to secure Salesforce and comply with DORA

In which Salesforce DORA obligations can WithSecure™ Cloud Protection for Salesforce help

How WithSecure™ Cloud Protection for Salesforce helps financial organizations meet their DORA obligations

Ensure Salesforce DORA compliance