Stop phishing attacks and scan URLs on Salesforce for threats

Malicious URLs can silently infiltrate and compromise your Salesforce environment and its users. From phishing to malware and credential theft, these covert risks can disrupt your daily business operations and damage your trusted brand.

Don’t overlook phishing risks

Phishing is one of the most common and successful cyber-attack vectors. Malicious URLs form the backbone of these phishing schemes, designed to masquerade as legitimate links. These URLs typically redirect unsuspecting users to fraudulent websites, where they are duped into revealing sensitive information. As they become more sophisticated, distinguishing these URLs from safe ones becomes increasingly challenging, making them a potent threat within Salesforce environments.

URLs are used in credential harvesting, where attackers construct websites that mirror legitimate business services to steal login information. Once an unsuspecting Salesforce user enters their credentials, the attackers gain access to private systems and data, leading to potential identity theft and unauthorized system access.

Malware risks behind URLs

URLs can serve as trojan horses for malware spreading. Clicking on a seemingly benign link can trigger the download and installation of harmful software. Malware spread via URLs may range from spyware, recording every keystroke, to ransomware, which can lock an organization out of its own data. This underscores the critical need for vigilance against URL-borne threats within Salesforce, as every file or link interaction could be a potential vector for infection.

Some cyber threats do not even require user interaction, such as drive-by downloads. Merely visiting a website with malicious intent can cause malware to download and install automatically. These URLs exploit vulnerabilities within the browser or its extensions, carrying out actions without the user’s knowledge or consent. This silent havoc often goes unnoticed until significant damage has occurred.

Attackers see Salesforce as an effective distribution channel

Salesforce’s expansive platform is full of potential entry points for attackers. From custom fields to community posts, any area where a URL can be entered poses a risk. These open text fields, especially when accessible by external users, increase the vulnerability of the environment to malicious URLs.

Attackers adeptly leverage these entry points, exploiting Salesforce’s features to inject harmful URLs. For instance, email-to-case or web-to-case functionalities, which are meant to streamline customer service processes, can be subverted to introduce phishing links or malicious URLs, directly targeting customer service representatives who may unwittingly click on them.

What makes your Salesforce even more attractive to the cyber criminals is the ecosystem of connected systems that integrate to it. This creates an effective third-party supply chain for the attackers’ benefit.

Evolving threats: it’s not enough to just detect threats when they come in

The safety of a URL is not a constant; it can change from safe to dangerous in moments. Malicious actors can hijack legitimate sites or dynamically generate harmful URLs, making time-of-click protection a necessity. Such security measures evaluate the URL as it’s accessed, not just when it’s received, accounting for real-time threat emergence.

The convenience of shortened URLs in space-constrained communications is undeniable. However, these shortened links also provide a perfect cover for obfuscating malicious destinations, allowing attackers to hide their true intentions behind a veil of legitimacy. This tactic is particularly concerning in environments like Salesforce, where such links could be distributed widely with a single click.

Phishing attacks are more common, and attackers more crafty

Salesforce has highlighted phishing as the paramount concern for IT leaders. More data supports this concern. According to IBM, 41% of cyber attacks deploy phishing techniques, leveraging the familiarity and trust of public-facing applications. More alarmingly, IBM reports that 26% of these phishing campaigns specifically target such applications, with a further 16% of attacks successfully abusing legitimate user accounts to bypass security defenses. New tools such as FraudGPT are making it easier than ever for cyber criminals to launch sophisticated phishing attacks regardless of their skill levels.

This quantifiable data emphasizes the need for comprehensive security against URL-based threats – especially within Salesforce environments, where phishing attempts can blend seamlessly with regular operations. We’ve detected that approximately 1% of the millions of URLs scanned from large enterprises and critical public entities globally are malicious. It’s a big vulnerability without anti-phishing measures.

A real-life Salesforce phishing incident scenario

Let’s break down a real cyber attack that happened via Salesforce, as observed by our incident response consultant, showing how the attack unfolded and what was done to fix it.

1. Initial compromise: A phishing email, which looked normal but contained a dangerous link, got through the email security and ended up in the company’s Salesforce system.
2. The lure: Inside Salesforce, employees found the document from the phishing email. Clicking on the link in the document led them to a fake webpage set up by the hackers.
3. Credential capture: The fake webpage tricked employees into entering their login details, including their extra security codes (tokens), which the attackers then stole.
4. Unauthorized access: The attackers used these stolen details to get into the company’s Microsoft systems without permission. This was noticed because of unusual sign-ins from other countries.
5. Detection: The company took a closer look at one employee’s laptop after noticing these strange sign-ins. They found that the laptop had visited some suspicious websites, pointing to an outside attack.
6. Full exposure: Further investigation connected these signs back to the phishing email in Salesforce. This showed that the company’s normal security wasn’t enough to stop such clever attacks.
7. Counteraction: Once the company knew about the breach, they stopped the stolen login details from being used and strengthened their security to prevent this kind of attack in the future.

This attack shows that cyber threats can sneak in through Salesforce and that usual security systems might not catch them. Companies need to have strong, up-to-date defenses that look for threats in real time and can check everything thoroughly if there’s an attack. It’s a reminder that being ready for all types of attacks is important for keeping Salesforce and other systems safe.