Internal users accessing Salesforce from personal or unmanaged devices pose a significant threat. Unsafe devices and misconfigured endpoint protection solutions can lead to the upload of malicious files into your Sales Cloud environment.

• Bring-your-own-device (BYOD) introduces unvetted and potentially compromised devices
• Malware may go undetected by local or outdated endpoint solutions
• The user’s account may be compromised and exploited by hackers in lateral movement and social engineering

Attack path

Internal user

Malicious file upload

Your Salesforce

Attack scenario: compromised internal device is used in malware upload

1. Unsafe access to Salesforce

An internal user logs in from a personal laptop that’s been unknowingly compromised with malware.

2. Malicious file upload

The user uploads a document to a Salesforce record. The file contains hidden malware.

3. Another internal user gets infected

The file is later passed down to another internal user. The malware activates, compromising the second user’s device.

4. Threat goes undetected

Without native file scanning, the malware continues to spread through shared files and lateral movement across internal users. Built-in tools offer no visibility to trace the spread.

5. Real-time protection deployed

The organization implements WithSecure™ Cloud Protection for Salesforce, blocking future malicious uploads and detecting dormant threats.

Chatter enables rapid collaboration, but also rapid malware spread. Users can accidentally or deliberately post infected files or phishing links, which remain undetected without file and link scanning.

• Chatter messages can include malicious files or phishing URLs
• Content is often trusted internally, bypassing user skepticism
• Attackers with access to compromised accounts can abuse Chatter for lateral movement and highly convincing social engineering

Attack path

Internal user

Chatter post with malicious file/link

Your Salesforce

Attack scenario: malware shared via Salesforce chatter

1. Account compromise

A sales rep clicks a phishing link outside Salesforce and unknowingly hands over credentials to an attacker.

2. Malicious content shared in Chatter

The attacker logs in and posts a file with embedded malware in a team Chatter group.

3. Other users engage

Colleagues access the file directly through Salesforce, assuming it’s trusted internal content.

4. Multiple devices infected

The malware spreads silently across internal systems, exploiting the trusted channel.

5. Threat detection implemented

The company deploys WithSecure™ Cloud Protection for Salesforce to scan Chatter posts in real time, stopping future threats.

Custom APIs connected to external systems can relay malicious files or links into your Salesforce instance. These integrations often bypass user visibility, increasing the time to detection.

• API channels can be exploited to deliver malware or malicious URLs
• Integrations may be granted excessive permissions
• Files uploaded via API are rarely reviewed by users or admins and may stay in Salesforce as dormant threats for long

Attack path

Compromised external system

API upload with malicious files

Your Salesforce

Attack scenario: compromised API integration injects malware

1. Partner application compromised

The company has less mature third-party partners connecting to its Salesforce. One partner uses a custom-built application, which is integrated via API to automate order processing. The custom app is compromised by attackers.

2. Malicious content injected via API

The app pushes a set of order related files into Salesforce. One file is embedded with malware.

3. File shared in opportunity records

Sales reps attach the file to Salesforce records and forward it to colleagues or prospects as part of the sales process.

4. Internal compromise spreads

Multiple internal employee users and customers receive and open the document, unknowingly executing the malware and compromising internal systems.

5. Protective measures deployed

The organization implements WithSecure™ Cloud Protection for Salesforce to scan all API-driven content and stop future threats from third-party integrations.

Experience Cloud portals often allow customers, partners, or vendors to upload files when submitting cases, completing forms, or interacting with shared records. If left unprotected, these uploads can become entry points for malware.

• Community users may unknowingly upload infected or manipulated files
• Attackers may deliberately use file upload features to plant malware through Experience Cloud features
• A community user’s account may be compromised; an attacker may impersonate a trusted user
• Salesforce has no built-in threat protection such as file scanning and phishing detection
• Unstructured data (e.g. files and URLs) from external sources can persist and be re-shared internally

Attack path

External community user

File upload via Experience Cloud

Stored in Salesforce

Accessed by internal user

Malware executes

Attack scenario: Malware uploaded via Experience Cloud portal

Portal interaction

An attacker poses as a customer and uses the support portal to upload a “purchase order” PDF as part of a case.

File accepted and stored

The file is uploaded through the portal and saved in a Salesforce record, appearing legitimate.

Internal access

An employee in the support team accesses the record and downloads the PDF.

Threat activates

The PDF contains embedded malware, which executes on the user’s endpoint.

Protection deployed

WithSecure™ Cloud Protection for Salesforce is introduced to scan all inbound Experience Cloud file uploads in real time, before internal users interact with them.

Experience Cloud is often used to build recruitment or HR portals where job applicants can submit resumes and various documents. Attackers can abuse this trusted channel to deliver weaponized files that appear benign, like CVs, cover letters or certificates, or URLs like links to professional portfolios and LinkedIn profiles.

• CVs and related documents and links are often assumed safe and opened as part of the business process without scrutiny
• Fake applicants – or cyber criminals – can target specific roles or teams with weaponized files and URLs

Attack path

External applicant

CV uploaded via Experience Cloud

File stored in candidate record

HR/recruiter opens

Malware activates

Attack scenario: Malicious CV delivered via HR portal

Fake job application submitted

An attacker submits a resume file that appears to be a PDF through the company’s Experience Cloud-based careers portal.

File stored in candidate record

The portal automatically creates a new record in Salesforce and attaches the uploaded CV.

Recruiter opens CV

A member of the HR team reviews applications and downloads the resume from the Salesforce record.

Malware executes

The document is a disguised executable file, masked as a PDF that installs an infostealer or backdoor on the recruiter’s machine.

File scanning implemented

The organization activates WithSecure™ Cloud Protection for Salesforce to scan all Experience Cloud uploads before they reach internal users – detecting even file type spoofing attacks where a file appears to be a certain type (like a PDF) but in reality is something different (like an executable).

Many Experience Cloud implementations allow users to post comments, submit forms, or send messages. These text-based inputs can include phishing URLs, which may remain dormant until clicked by an internal user or reused in outbound messages.

• Links submitted through form fields or comment boxes may not be reviewed
• Internal users may click or copy these links without suspicion
• Delayed risk: phishing links can linger in records and reactivate later

Attack path

External user

Phishing link in form or message

Saved in Salesforce

Clicked or reused internally

Attack scenario: Phishing link hidden in a community form

Message submitted

An attacker submits a service request through an Experience Cloud form and embeds a disguised phishing link in the description field.

Link stored in Salesforce

The link is stored as part of the record, potentially copied into follow-up notes or internal discussions.

Link clicked later

A support or sales rep later clicks the link while reviewing the case.

Credential theft

The user is redirected to a fake login page designed to steal their Salesforce or corporate credentials.

Threat detection implemented

WithSecure™ Cloud Protection for Salesforce is configured to scan URLs from community users and block malicious links both at entry and point-of-click.

Email-to-Case streamlines ticket creation, but also opens the door to file-based attacks. Threat actors can submit a case with a malicious attachment that bypasses traditional email security, landing directly inside Salesforce. From there, the threat can spread across both internal and external users.

• File attachments enter Salesforce without inline scanning
• Malware can sit undetected in the case record until opened
• Endpoint protection may not recognize novel or embedded threats
• Email security will not detect threats that appear safe when uploaded, but turn malicious over time as the code morphs

Attack path

External user

Email-to-case

Malicious file attachment on email stored on the case

Human agent downloads

Attack scenario: Malware delivered via Email-to-Case

Fraudulent sent to support

An attacker emails the support address connected to Email-to-Case with a disguised Excel file attached.

File enters case record

Salesforce automatically converts the email into a new case, with the file uploaded to the record.

Agent opens attachment

A human support agent downloads and opens the file while triaging the case.

Malware executes

The file constains an infostealer malware that launches on the agent’s device.

Protections corrected

After the incident, WithSecure™ Cloud Protection for Salesforce is deployed to scan all files entering through Email-to-Case and other user flows in real time.

Web-to-Case forms allow customers to submit issues via browser, but attackers can inject malicious URLs that are stored in case descriptions or comments. These links may be clicked by agents or reused in outbound replies.

• Malicious URLs can be embedded in text fields
• AI or human agents may echo links in replies
• Threats can spread internally or to customers

Attack path

External user

Web-to-Case

Phishing URL embedded in a text field

Human agent clicks or shares

Threat spreads

Attack scenario: Phishing link embedded in support request

Web form abuse

An attacker fills out a support form with a fake complaint and embeds a phishing link in the message body.

Link lands in Salesforce

The form submission creates a new case; the URL is stored in the description.

Agent reads and clicks

A support agent sees the message and clicks the link, thinking it’s relevant to the issue.

Credential theft occurs

The agent is redirected to a spoofed login page and unknowingly enters their corporate credentials.

URL protection introduced

WithSecure™ Cloud Protection for Salesforce is configured to scan and block malicious links within case fields and notes both at the time of upload and retroactively when a user clicks links in Salesforce.

AI-powered support flows can escalate threat delivery at machine speed. A malicious file sent during a customer chat can pass through Agentforce into a case record—and be downloaded by a human agent before any security review.

• AI agents don’t inspect files before routing them to Salesforce
• Malicious attachments can be passed along without visibility
• Human agents may unknowingly open weaponized content

Attack path

External user

Agentforce support flow

Malicious file upload

File routed to case

Attack scenario: malware delivered via Agentforce workflow

Attacker enters AI chat

An attacker poses as a customer and contacts support through an Agentforce-enabled chat.

Malicious screenshot submitted

They upload an image file claiming it shows a login issue. It’s laced with hidden malware.

File lands in case record

The file is automatically saved to the related Salesforce case through the agentic process.

Agent downloads file

A human support agent later opens the file, triggering malware execution.

Compromise occurs

Infostealer malware activates, harvesting credentials and spreading silently.

Prevention is introduced

WithSecure Cloud Protection for Salesforce is implemented to mitigate Agentforce cyber risk. Salesforce-native app ensures real-time detection across accelerated AI workflows.

Malicious URLs pasted into agentic flows, whether by customers or internal users, can persist in records, be re-shared, or clicked later. Without native URL scanning, AI can unintentionally amplify these risks.

• AI workflows may forward phishing links without detection
• Stored links can become delayed-entry threat vectors

Attack path

External user

Malicious URL posted

Saved in Salesforce record

Re-shared or clicked

Attack scenario: Persistent phishing link in AI flow

Phishing URL submitted

A customer pastes a malicious URL during a web chat session with an AI agent.

Link saved in case record

The URL is stored in the Salesforce case or notes automatically.

Re-surfaced by a human user

Later, the link is retrieved by a human agent who reviews the case details.

Click triggers attack

Without any warning labels, a recipient clicks the URL, and enters a phishing page designed for credential harvesting.

Agentforce journey secured

The incident raises internal alarms, and later WithSecure™ Cloud Protection for Salesforce is introduced so Agentforce journey can continue securely, without phishing risks.