SOLUTIONS
Which Salesforce services are you using?
Salesforce helps you manage sales, support, automation, and collaboration, but it doesn’t inspect the data coming in. Files, links, and other unstructured content aren’t scanned for threats.
Under the shared responsibility model, securing that incoming data is up to you.
Sales Cloud
All sales management in one place. Just be aware: uploaded files and links from users or integrations aren’t scanned for threats.
Experience Cloud
Scalable portals for customers and partners.
But every external user is a potential entry point for cyber threats.
Service Cloud
Streamlined customer support across all channels.
Without protection, malicious files and links cases may spread.
Agentforce
AI agents resolve issues and tasks autonomously.
Rapid AI agents can also accelerate the spreading of cyber threats.
Sales Cloud
Risks associated with Sales Cloud
Internal users using their own devices
High risk
Internal users accessing Salesforce from personal or unmanaged devices pose a significant threat. Unsafe devices and misconfigured endpoint protection solutions can lead to the upload of malicious files into your Sales Cloud environment.
- Bring-your-own-device (BYOD) introduces unvetted and potentially compromised devices
- Malware may go undetected by local or outdated endpoint solutions
- The user’s account may be compromised and exploited by hackers in lateral movement and social engineering
Attack path
Internal user
Malicious file upload
Your Salesforce
Attack scenario: compromised internal device is used in malware upload
1. Unsafe access to Salesforce
An internal user logs in from a personal laptop that’s been unknowingly compromised with malware.
2. Malicious file upload
The user uploads a document to a Salesforce record. The file contains hidden malware.
3. Another internal user gets infected
The file is later passed down to another internal user. The malware activates, compromising the second user’s device.
4. Threat goes undetected
Without native file scanning, the malware continues to spread through shared files and lateral movement across internal users. Built-in tools offer no visibility to trace the spread.
5. Real-time protection deployed
The organization implements WithSecure™ Cloud Protection for Salesforce, blocking future malicious uploads and detecting dormant threats.
Secure your Salesforce today
Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.
Malicious content via Salesforce Chatter
Medium risk
Chatter enables rapid collaboration, but also rapid malware spread. Users can accidentally or deliberately post infected files or phishing links, which remain undetected without file and link scanning.
- Chatter messages can include malicious files or phishing URLs
- Content is often trusted internally, bypassing user skepticism
- Attackers with access to compromised accounts can abuse Chatter for lateral movement and highly convincing social engineering
Attack path
Internal user
Chatter post with malicious file/link
Your Salesforce
Attack scenario: malware shared via Salesforce chatter
1. Account compromise
A sales rep clicks a phishing link outside Salesforce and unknowingly hands over credentials to an attacker.
2. Malicious content shared in Chatter
The attacker logs in and posts a file with embedded malware in a team Chatter group.
3. Other users engage
Colleagues access the file directly through Salesforce, assuming it’s trusted internal content.
4. Multiple devices infected
The malware spreads silently across internal systems, exploiting the trusted channel.
5. Threat detection implemented
The company deploys WithSecure™ Cloud Protection for Salesforce to scan Chatter posts in real time, stopping future threats.
Secure your Salesforce today
Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.
Custom API integrations introducing malware
Medium risk
Custom APIs connected to external systems can relay malicious files or links into your Salesforce instance. These integrations often bypass user visibility, increasing the time to detection.
- API channels can be exploited to deliver malware or malicious URLs
- Integrations may be granted excessive permissions
- Files uploaded via API are rarely reviewed by users or admins and may stay in Salesforce as dormant threats for long
Attack path
Compromised external system
API upload with malicious files
Your Salesforce
Attack scenario: compromised API integration injects malware
1. Partner application compromised
The company has less mature third-party partners connecting to its Salesforce. One partner uses a custom-built application, which is integrated via API to automate order processing. The custom app is compromised by attackers.
2. Malicious content injected via API
The app pushes a set of order related files into Salesforce. One file is embedded with malware.
3. File shared in opportunity records
Sales reps attach the file to Salesforce records and forward it to colleagues or prospects as part of the sales process.
4. Internal compromise spreads
Multiple internal employee users and customers receive and open the document, unknowingly executing the malware and compromising internal systems.
5. Protective measures deployed
The organization implements WithSecure™ Cloud Protection for Salesforce to scan all API-driven content and stop future threats from third-party integrations.
Secure your Salesforce today
Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.
Experience Cloud
Risks associated with Experience Cloud
Malicious files uploaded by community users
High risk
Experience Cloud portals often allow customers, partners, or vendors to upload files when submitting cases, completing forms, or interacting with shared records. If left unprotected, these uploads can become entry points for malware.
- Community users may unknowingly upload infected or manipulated files
- Attackers may deliberately use file upload features to plant malware through Experience Cloud features
- A community user’s account may be compromised; an attacker may impersonate a trusted user
- Salesforce has no built-in threat protection such as file scanning and phishing detection
- Unstructured data (e.g. files and URLs) from external sources can persist and be re-shared internally
Attack path
External community user
File upload via Experience Cloud
Stored in Salesforce
Accessed by internal user
Malware executes
Attack scenario: Malware uploaded via Experience Cloud portal
Portal interaction
An attacker poses as a customer and uses the support portal to upload a “purchase order” PDF as part of a case.
File accepted and stored
The file is uploaded through the portal and saved in a Salesforce record, appearing legitimate.
Internal access
An employee in the support team accesses the record and downloads the PDF.
Threat activates
The PDF contains embedded malware, which executes on the user’s endpoint.
Protection deployed
WithSecure™ Cloud Protection for Salesforce is introduced to scan all inbound Experience Cloud file uploads in real time, before internal users interact with them.
Secure your Salesforce today
Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.
Malicious CV uploaded via recruitment portal
High risk
Experience Cloud is often used to build recruitment or HR portals where job applicants can submit resumes and various documents. Attackers can abuse this trusted channel to deliver weaponized files that appear benign, like CVs, cover letters or certificates, or URLs like links to professional portfolios and LinkedIn profiles.
- CVs and related documents and links are often assumed safe and opened as part of the business process without scrutiny
- Fake applicants – or cyber criminals – can target specific roles or teams with weaponized files and URLs
Attack path
External applicant
CV uploaded via Experience Cloud
File stored in candidate record
HR/recruiter opens
Malware activates
Attack scenario: Malicious CV delivered via HR portal
Fake job application submitted
An attacker submits a resume file that appears to be a PDF through the company’s Experience Cloud-based careers portal.
File stored in candidate record
The portal automatically creates a new record in Salesforce and attaches the uploaded CV.
Recruiter opens CV
A member of the HR team reviews applications and downloads the resume from the Salesforce record.
Malware executes
The document is a disguised executable file, masked as a PDF that installs an infostealer or backdoor on the recruiter’s machine.
File scanning implemented
The organization activates WithSecure™ Cloud Protection for Salesforce to scan all Experience Cloud uploads before they reach internal users – detecting even file type spoofing attacks where a file appears to be a certain type (like a PDF) but in reality is something different (like an executable).
Secure your Salesforce today
Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.
Phishing links in Experience Cloud message fields
Medium risk
Many Experience Cloud implementations allow users to post comments, submit forms, or send messages. These text-based inputs can include phishing URLs, which may remain dormant until clicked by an internal user or reused in outbound messages.
- Links submitted through form fields or comment boxes may not be reviewed
- Internal users may click or copy these links without suspicion
- Delayed risk: phishing links can linger in records and reactivate later
Attack path
External user
Phishing link in form or message
Saved in Salesforce
Clicked or reused internally
Attack scenario: Phishing link hidden in a community form
Message submitted
An attacker submits a service request through an Experience Cloud form and embeds a disguised phishing link in the description field.
Link stored in Salesforce
The link is stored as part of the record, potentially copied into follow-up notes or internal discussions.
Link clicked later
A support or sales rep later clicks the link while reviewing the case.
Credential theft
The user is redirected to a fake login page designed to steal their Salesforce or corporate credentials.
Threat detection implemented
WithSecure™ Cloud Protection for Salesforce is configured to scan URLs from community users and block malicious links both at entry and point-of-click.
Secure your Salesforce today
Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.
Service Cloud
Risks associated with Service Cloud
Email-to-Case used to deliver malware
High risk
Email-to-Case streamlines ticket creation, but also opens the door to file-based attacks. Threat actors can submit a case with a malicious attachment that bypasses traditional email security, landing directly inside Salesforce. From there, the threat can spread across both internal and external users.
- File attachments enter Salesforce without inline scanning
- Malware can sit undetected in the case record until opened
- Endpoint protection may not recognize novel or embedded threats
- Email security will not detect threats that appear safe when uploaded, but turn malicious over time as the code morphs
Attack path
External user
Email-to-case
Malicious file attachment on email stored on the case
Human agent downloads
Attack scenario: Malware delivered via Email-to-Case
Fraudulent sent to support
An attacker emails the support address connected to Email-to-Case with a disguised Excel file attached.
File enters case record
Salesforce automatically converts the email into a new case, with the file uploaded to the record.
Agent opens attachment
A human support agent downloads and opens the file while triaging the case.
Malware executes
The file constains an infostealer malware that launches on the agent’s device.
Protections corrected
After the incident, WithSecure™ Cloud Protection for Salesforce is deployed to scan all files entering through Email-to-Case and other user flows in real time.
Secure your Salesforce today
Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.
Phishing links in support cases from web forms
Medium risk
Web-to-Case forms allow customers to submit issues via browser, but attackers can inject malicious URLs that are stored in case descriptions or comments. These links may be clicked by agents or reused in outbound replies.
- Malicious URLs can be embedded in text fields
- AI or human agents may echo links in replies
- Threats can spread internally or to customers
Attack path
External user
Web-to-Case
Phishing URL embedded in a text field
Human agent clicks or shares
Threat spreads
Attack scenario: Phishing link embedded in support request
Web form abuse
An attacker fills out a support form with a fake complaint and embeds a phishing link in the message body.
Link lands in Salesforce
The form submission creates a new case; the URL is stored in the description.
Agent reads and clicks
A support agent sees the message and clicks the link, thinking it’s relevant to the issue.
Credential theft occurs
The agent is redirected to a spoofed login page and unknowingly enters their corporate credentials.
URL protection introduced
WithSecure™ Cloud Protection for Salesforce is configured to scan and block malicious links within case fields and notes both at the time of upload and retroactively when a user clicks links in Salesforce.
Secure your Salesforce today
Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.
Agentforce
Risks associated with Agentforce
Malicious file in agentic support chat
High risk
AI-powered support flows can escalate threat delivery at machine speed. A malicious file sent during a customer chat can pass through Agentforce into a case record—and be downloaded by a human agent before any security review.
- AI agents don’t inspect files before routing them to Salesforce
- Malicious attachments can be passed along without visibility
- Human agents may unknowingly open weaponized content
Attack path
External user
Agentforce support flow
Malicious file upload
File routed to case
Attack scenario: malware delivered via Agentforce workflow
Attacker enters AI chat
An attacker poses as a customer and contacts support through an Agentforce-enabled chat.
Malicious screenshot submitted
They upload an image file claiming it shows a login issue. It’s laced with hidden malware.
File lands in case record
The file is automatically saved to the related Salesforce case through the agentic process.
Agent downloads file
A human support agent later opens the file, triggering malware execution.
Compromise occurs
Infostealer malware activates, harvesting credentials and spreading silently.
Prevention is introduced
WithSecure Cloud Protection for Salesforce is implemented to mitigate Agentforce cyber risk. Salesforce-native app ensures real-time detection across accelerated AI workflows.
Secure your Salesforce today
Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.
Phishing links shared through Agentforce
Medium risk
Malicious URLs pasted into agentic flows, whether by customers or internal users, can persist in records, be re-shared, or clicked later. Without native URL scanning, AI can unintentionally amplify these risks.
- AI workflows may forward phishing links without detection
- Stored links can become delayed-entry threat vectors
Attack path
External user
Malicious URL posted
Saved in Salesforce record
Re-shared or clicked
Attack scenario: Persistent phishing link in AI flow
Phishing URL submitted
A customer pastes a malicious URL during a web chat session with an AI agent.
Link saved in case record
The URL is stored in the Salesforce case or notes automatically.
Re-surfaced by a human user
Later, the link is retrieved by a human agent who reviews the case details.
Click triggers attack
Without any warning labels, a recipient clicks the URL, and enters a phishing page designed for credential harvesting.
Agentforce journey secured
The incident raises internal alarms, and later WithSecure™ Cloud Protection for Salesforce is introduced so Agentforce journey can continue securely, without phishing risks.
Secure your Salesforce today
Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.
Select your Salesforce clouds above to see more information
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Fill the form and get:
Free 15-day trial
Personalized Salesforce security risk assessment report
Demo and a solution consultation
Support from our experts with setup and configurations