UNC6395 OAuth Compromise Explained: Astrix Research Findings Across Salesforce, Google Workspace, and AWS

Read full article here: https://astrix.security/learn/blog/critical-update-astrix-research-team-discovers-unc6395-oauth-compromise-spanning-salesforce-google-workspace-and-aws/?source=nhimg

The recent Salesforce breach involving UNC6395 has escalated into a multi-cloud campaign targeting not only Salesforce environments but also Google Workspace, AWS, and Snowflake. Initial reports from Google Threat Intelligence Group (GTIG) identified the compromise of Salesloft Drift OAuth tokens, which attackers used to exfiltrate CRM data and harvest secrets. Astrix Security’s latest findings reveal broader tactics, including Gmail OAuth token abuse, AWS reconnaissance activity, and the use of more than 180 Tor exit nodes to mask attacker infrastructure.

What Happened

• Salesforce Phase (Aug 8–18, 2025): Attackers leveraged Drift OAuth tokens to bypass MFA and extract data from Salesforce instances.
• Expansion into Google Workspace: The Drift Email OAuth application was exploited for large-scale Gmail data theft. Google revoked the tokens on Aug 29, but pre-revocation activity remains a risk.
• AWS Reconnaissance: UNC6395 attempted anonymous access to S3 buckets using bucket names harvested from exfiltrated Salesforce data.
• Snowflake Secrets Exposure: Harvested credentials targeted Snowflake environments for lateral movement.

Key Risks

• OAuth Token Abuse: Tokens issued to connected apps became the pivot point for multi-cloud compromise.
• NHI Exploitation: Service accounts, app tokens, and other non-human identities (NHIs) were systematically abused to move laterally.
• Visibility Gaps: Over 183 Tor exit nodes masked attacker behavior, complicating detection and forensic analysis.

Indicators of Compromise (IoCs)

• Google OAuth App ID: 1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com
• AWS Account ID: 337122806991
• 180+ Tor exit nodes (full list available in Astrix Security’s advisory)

Why It Matters

This breach is not a Salesforce platform vulnerability but a shared responsibility failure: weak governance of connected apps, over-permissive OAuth grants, and unmonitored NHIs left organizations exposed. Enterprises like Google, Adidas, Workday, and Coca-Cola were affected, proving that even global leaders are vulnerable when OAuth and machine identities are left unchecked.

How to Respond Now

• Revoke & Rotate - Immediately revoke Drift OAuth tokens across Salesforce and Google Workspace and rotate any associated secrets.
• Audit Connected Apps - Enforce least-privilege principles and scrutinize OAuth scopes granted to third-party integrations.
• Monitor & Block - Search logs for AWS account ID 337122806991 and suspicious Tor-sourced access between Aug 8–18.
• Strengthen NHI Governance - Implement Identity Security Posture Management (ISPM) and Identity Threat Detection & Response (ITDR) to continuously monitor and govern machine identities.

The Bigger Picture

The UNC6395 campaign demonstrates a critical reality: OAuth token governance is now a frontline security priority. Attackers are chaining Salesforce, Google, AWS, and Snowflake together using NHIs as pivots. Without continuous discovery, monitoring, and automated remediation, organizations face an unmanageable attack surface.