🔥 Join us at London’s Calling on June 6th, 2025

WithSecure™ Cloud Protection for Salesforce
  • Home
  • Product
    • Product overviewLearn how WithSecure protects your Salesforce from advanced cyber threats.
    • All featuresExplore product features in detail
    • File protectionDefend your organization against malware and ransomware attacks.
    • URL protectionPrevent phishing and malicious URL attacks with real-time protection.
    • Analytics and visibilityGet comprehensive real-time visibility into security events.
  • Solutions
  • Customers
  • Pricing
  • Resources
    • SupportHow to install, configure and troubleshoot the product.
    • Events & webinars3 upcomingWhere are we headed next? See our upcoming schedule.
    • ComplianceSee what certifications we have and how we comply with regulations.
    • BlogGet the latest product updates and Salesforce security insights.
    • DatasheetsAccess our datasheets, solution overviews and other collaterals.
    • For partnersLet’s deliver more value to Salesforce customers – together.
    • Risk assessmentGet your free Salesforce content risk assessment.
    • About usLearn who we are, why we do what we do and how it all started.
  • EN
    • English
    • 日本語 (Japanese)
  • Book a demoClaim your free 15-day trial
  • EN
    • English
    • 日本語 (Japanese)
  • Book a demoClaim your free 15-day trial
  • SOLUTIONS

    Which Salesforce services are you using?

    Salesforce helps you manage sales, support, automation, and collaboration, but it doesn’t inspect the data coming in. Files, links, and other unstructured content aren’t scanned for threats.
    Under the shared responsibility model, securing that incoming data is up to you.

    Sales Cloud

    All sales management in one place. Just be aware: uploaded files and links from users or integrations aren’t scanned for threats.

    Experience Cloud

    Scalable portals for customers and partners.
    But every external user is a potential entry point for cyber threats.

    Service Cloud

    Streamlined customer support across all channels.
    Without protection, malicious files and links cases may spread.

    Agentforce

    AI agents resolve issues and tasks autonomously.
    Rapid AI agents can also accelerate the spreading of cyber threats.

    Sales Cloud

    Risks associated with Sales Cloud

    Internal users using their own devices

    High risk

    Internal users accessing Salesforce from personal or unmanaged devices pose a significant threat. Unsafe devices and misconfigured endpoint protection solutions can lead to the upload of malicious files into your Sales Cloud environment.

    • Bring-your-own-device (BYOD) introduces unvetted and potentially compromised devices
    • Malware may go undetected by local or outdated endpoint solutions
    • The user’s account may be compromised and exploited by hackers in lateral movement and social engineering
    Attack path

    Internal user

    Malicious file upload

    Your Salesforce

    Attack scenario: compromised internal device is used in malware upload

    1. Unsafe access to Salesforce

    An internal user logs in from a personal laptop that’s been unknowingly compromised with malware.

    2. Malicious file upload

    The user uploads a document to a Salesforce record. The file contains hidden malware.

    3. Another internal user gets infected

    The file is later passed down to another internal user. The malware activates, compromising the second user’s device.

    4. Threat goes undetected

    Without native file scanning, the malware continues to spread through shared files and lateral movement across internal users. Built-in tools offer no visibility to trace the spread.

    5. Real-time protection deployed

    The organization implements WithSecure™ Cloud Protection for Salesforce, blocking future malicious uploads and detecting dormant threats.

    Secure your Salesforce today

    Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.

    Book a demo
    Malicious content via Salesforce Chatter

    Medium risk

    Chatter enables rapid collaboration, but also rapid malware spread. Users can accidentally or deliberately post infected files or phishing links, which remain undetected without file and link scanning.

    • Chatter messages can include malicious files or phishing URLs
    • Content is often trusted internally, bypassing user skepticism
    • Attackers with access to compromised accounts can abuse Chatter for lateral movement and highly convincing social engineering
    Attack path

    Internal user

    Chatter post with malicious file/link

    Your Salesforce

    Attack scenario: malware shared via Salesforce chatter

    1. Account compromise

    A sales rep clicks a phishing link outside Salesforce and unknowingly hands over credentials to an attacker.

    2. Malicious content shared in Chatter

    The attacker logs in and posts a file with embedded malware in a team Chatter group.

    3. Other users engage

    Colleagues access the file directly through Salesforce, assuming it’s trusted internal content.

    4. Multiple devices infected

    The malware spreads silently across internal systems, exploiting the trusted channel.

    5. Threat detection implemented

    The company deploys WithSecure™ Cloud Protection for Salesforce to scan Chatter posts in real time, stopping future threats.

    Secure your Salesforce today

    Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.

    Book a demo
    Custom API integrations introducing malware

    Medium risk

    Custom APIs connected to external systems can relay malicious files or links into your Salesforce instance. These integrations often bypass user visibility, increasing the time to detection.

    • API channels can be exploited to deliver malware or malicious URLs
    • Integrations may be granted excessive permissions
    • Files uploaded via API are rarely reviewed by users or admins and may stay in Salesforce as dormant threats for long
    Attack path

    Compromised external system

    API upload with malicious files

    Your Salesforce

    Attack scenario: compromised API integration injects malware

    1. Partner application compromised

    The company has less mature third-party partners connecting to its Salesforce. One partner uses a custom-built application, which is integrated via API to automate order processing. The custom app is compromised by attackers.

    2. Malicious content injected via API

    The app pushes a set of order related files into Salesforce. One file is embedded with malware.

    3. File shared in opportunity records

    Sales reps attach the file to Salesforce records and forward it to colleagues or prospects as part of the sales process.

    4. Internal compromise spreads

    Multiple internal employee users and customers receive and open the document, unknowingly executing the malware and compromising internal systems.

    5. Protective measures deployed

    The organization implements WithSecure™ Cloud Protection for Salesforce to scan all API-driven content and stop future threats from third-party integrations.

    Secure your Salesforce today

    Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.

    Book a demo

    Experience Cloud

    Risks associated with Experience Cloud

    Malicious files uploaded by community users

    High risk

    Experience Cloud portals often allow customers, partners, or vendors to upload files when submitting cases, completing forms, or interacting with shared records. If left unprotected, these uploads can become entry points for malware.

    • Community users may unknowingly upload infected or manipulated files
    • Attackers may deliberately use file upload features to plant malware through Experience Cloud features
    • A community user’s account may be compromised; an attacker may impersonate a trusted user
    • Salesforce has no built-in threat protection such as file scanning and phishing detection
    • Unstructured data (e.g. files and URLs) from external sources can persist and be re-shared internally
    Attack path

    External community user

    File upload via Experience Cloud

    Stored in Salesforce

    Accessed by internal user

    Malware executes

    Attack scenario: Malware uploaded via Experience Cloud portal

    Portal interaction

    An attacker poses as a customer and uses the support portal to upload a “purchase order” PDF as part of a case.

    File accepted and stored

    The file is uploaded through the portal and saved in a Salesforce record, appearing legitimate.

    Internal access

    An employee in the support team accesses the record and downloads the PDF.

    Threat activates

    The PDF contains embedded malware, which executes on the user’s endpoint.

    Protection deployed

    WithSecure™ Cloud Protection for Salesforce is introduced to scan all inbound Experience Cloud file uploads in real time, before internal users interact with them.

    Secure your Salesforce today

    Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.

    Book a demo
    Malicious CV uploaded via recruitment portal

    High risk

    Experience Cloud is often used to build recruitment or HR portals where job applicants can submit resumes and various documents. Attackers can abuse this trusted channel to deliver weaponized files that appear benign, like CVs, cover letters or certificates, or URLs like links to professional portfolios and LinkedIn profiles.

    • CVs and related documents and links are often assumed safe and opened as part of the business process without scrutiny
    • Fake applicants – or cyber criminals – can target specific roles or teams with weaponized files and URLs
    Attack path

    External applicant

    CV uploaded via Experience Cloud

    File stored in candidate record

    HR/recruiter opens

    Malware activates

    Attack scenario: Malicious CV delivered via HR portal

    Fake job application submitted

    An attacker submits a resume file that appears to be a PDF through the company’s Experience Cloud-based careers portal.

    File stored in candidate record

    The portal automatically creates a new record in Salesforce and attaches the uploaded CV.

    Recruiter opens CV

    A member of the HR team reviews applications and downloads the resume from the Salesforce record.

    Malware executes

    The document is a disguised executable file, masked as a PDF that installs an infostealer or backdoor on the recruiter’s machine.

    File scanning implemented

    The organization activates WithSecure™ Cloud Protection for Salesforce to scan all Experience Cloud uploads before they reach internal users – detecting even file type spoofing attacks where a file appears to be a certain type (like a PDF) but in reality is something different (like an executable).

    Secure your Salesforce today

    Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.

    Book a demo
    Phishing links in Experience Cloud message fields

    Medium risk

    Many Experience Cloud implementations allow users to post comments, submit forms, or send messages. These text-based inputs can include phishing URLs, which may remain dormant until clicked by an internal user or reused in outbound messages.

    • Links submitted through form fields or comment boxes may not be reviewed
    • Internal users may click or copy these links without suspicion
    • Delayed risk: phishing links can linger in records and reactivate later
    Attack path

    External user

    Phishing link in form or message

    Saved in Salesforce

    Clicked or reused internally

    Attack scenario: Phishing link hidden in a community form

    Message submitted

    An attacker submits a service request through an Experience Cloud form and embeds a disguised phishing link in the description field.

    Link stored in Salesforce

    The link is stored as part of the record, potentially copied into follow-up notes or internal discussions.

    Link clicked later

    A support or sales rep later clicks the link while reviewing the case.

    Credential theft

    The user is redirected to a fake login page designed to steal their Salesforce or corporate credentials.

    Threat detection implemented

    WithSecure™ Cloud Protection for Salesforce is configured to scan URLs from community users and block malicious links both at entry and point-of-click.

    Secure your Salesforce today

    Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.

    Book a demo

    Service Cloud

    Risks associated with Service Cloud

    Email-to-Case used to deliver malware

    High risk

    Email-to-Case streamlines ticket creation, but also opens the door to file-based attacks. Threat actors can submit a case with a malicious attachment that bypasses traditional email security, landing directly inside Salesforce. From there, the threat can spread across both internal and external users.

    • File attachments enter Salesforce without inline scanning
    • Malware can sit undetected in the case record until opened
    • Endpoint protection may not recognize novel or embedded threats
    • Email security will not detect threats that appear safe when uploaded, but turn malicious over time as the code morphs
    Attack path

    External user

    Email-to-case

    Malicious file attachment on email stored on the case

    Human agent downloads

    Attack scenario: Malware delivered via Email-to-Case

    Fraudulent sent to support

    An attacker emails the support address connected to Email-to-Case with a disguised Excel file attached.

    File enters case record

    Salesforce automatically converts the email into a new case, with the file uploaded to the record.

    Agent opens attachment

    A human support agent downloads and opens the file while triaging the case.

    Malware executes

    The file constains an infostealer malware that launches on the agent’s device.

    Protections corrected

    After the incident, WithSecure™ Cloud Protection for Salesforce is deployed to scan all files entering through Email-to-Case and other user flows in real time.

    Secure your Salesforce today

    Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.

    Book a demo
    Phishing links in support cases from web forms

    Medium risk

    Web-to-Case forms allow customers to submit issues via browser, but attackers can inject malicious URLs that are stored in case descriptions or comments. These links may be clicked by agents or reused in outbound replies.

    • Malicious URLs can be embedded in text fields
    • AI or human agents may echo links in replies
    • Threats can spread internally or to customers
    Attack path

    External user

    Web-to-Case

    Phishing URL embedded in a text field

    Human agent clicks or shares

    Threat spreads

    Attack scenario: Phishing link embedded in support request

    Web form abuse

    An attacker fills out a support form with a fake complaint and embeds a phishing link in the message body.

    Link lands in Salesforce

    The form submission creates a new case; the URL is stored in the description.

    Agent reads and clicks

    A support agent sees the message and clicks the link, thinking it’s relevant to the issue.

    Credential theft occurs

    The agent is redirected to a spoofed login page and unknowingly enters their corporate credentials.

    URL protection introduced

    WithSecure™ Cloud Protection for Salesforce is configured to scan and block malicious links within case fields and notes both at the time of upload and retroactively when a user clicks links in Salesforce.

    Secure your Salesforce today

    Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.

    Book a demo

    Agentforce

    Risks associated with Agentforce

    Malicious file in agentic support chat

    High risk

    AI-powered support flows can escalate threat delivery at machine speed. A malicious file sent during a customer chat can pass through Agentforce into a case record—and be downloaded by a human agent before any security review.

    • AI agents don’t inspect files before routing them to Salesforce
    • Malicious attachments can be passed along without visibility
    • Human agents may unknowingly open weaponized content
    Attack path

    External user

    Agentforce support flow

    Malicious file upload

    File routed to case

    Attack scenario: malware delivered via Agentforce workflow

    Attacker enters AI chat

    An attacker poses as a customer and contacts support through an Agentforce-enabled chat.

    Malicious screenshot submitted

    They upload an image file claiming it shows a login issue. It’s laced with hidden malware.

    File lands in case record

    The file is automatically saved to the related Salesforce case through the agentic process.

    Agent downloads file

    A human support agent later opens the file, triggering malware execution.

    Compromise occurs

    Infostealer malware activates, harvesting credentials and spreading silently.

    Prevention is introduced

    WithSecure Cloud Protection for Salesforce is implemented to mitigate Agentforce cyber risk. Salesforce-native app ensures real-time detection across accelerated AI workflows.

    Secure your Salesforce today

    Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.

    Book a demo
    Phishing links shared through Agentforce

    Medium risk

    Malicious URLs pasted into agentic flows, whether by customers or internal users, can persist in records, be re-shared, or clicked later. Without native URL scanning, AI can unintentionally amplify these risks.

    • AI workflows may forward phishing links without detection
    • Stored links can become delayed-entry threat vectors
    Attack path

    External user

    Malicious URL posted

    Saved in Salesforce record

    Re-shared or clicked

    Attack scenario: Persistent phishing link in AI flow

    Phishing URL submitted

    A customer pastes a malicious URL during a web chat session with an AI agent.

    Link saved in case record

    The URL is stored in the Salesforce case or notes automatically.

    Re-surfaced by a human user

    Later, the link is retrieved by a human agent who reviews the case details.

    Click triggers attack

    Without any warning labels, a recipient clicks the URL, and enters a phishing page designed for credential harvesting.

    Agentforce journey secured

    The incident raises internal alarms, and later WithSecure™ Cloud Protection for Salesforce is introduced so Agentforce journey can continue securely, without phishing risks.

    Secure your Salesforce today

    Natively integrated WithSecure™ Cloud Protection for Salesforce stops cyber threats like ransomware and phishing in real-time. It’s up and running in minutes, leaves your customizations untouched, and keeps your enterprise running on Salesforce undisrupted.

    Book a demo
    Select your Salesforce clouds above to see more information

    BOOK A DEMO

    Secure your Salesforce today

    Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.

    Fill the form and get:

    Free 15-day trial

    Personalized Salesforce security risk assessment report

    Demo and a solution consultation

    Support from our experts with setup and configurations

    Required field.

    Invalid field.

    Required field.

    Invalid field.

    Required field.

    Invalid field.

    Required field.

    Invalid field.

    Phone number can only contain numbers, spaces, and these special characters: + () -.

    Required field.

    Invalid field.

    Required field.

    Invalid field.

    Required field.

    Invalid field.

    Error sending form.

    We process the personal data you share with us in accordance with our Corporate Business Privacy Policy.

Product

  • Book a demo
  • Product
  • Solutions
  • Customers
  • Pricing

Resources

  • Blog
  • Events & webinars
  • For partners
  • Compliance
  • Datasheets
  • Risk assessment

Company

  • About us
  • W/ Elements
  • W/ Consulting

Support

  • Support portal
  • User guides
  • Release notes
  • Product lifecycle

Social media

Terms of service

Privacy

Product privacy policy

Modern slavery statement

Cookies