Attackers are leveraging Salesforce’s trustworthiness as their most powerful tool for improving SEO.

Salesforce has emerged as a significant target for cyber attackers in 2025, as highlighted by new research from WithSecure regarding threats to customer relationship management (CRM) platforms. The report indicates a dramatic twenty-fold increase in malicious activity within Salesforce environments during the first quarter of this year compared to late 2024. Attackers are increasingly utilising ordinary files as delivery mechanisms, with Word documents accounting for over two-thirds of malicious detections. These documents often contain links to phishing portals or malware downloads. Additionally, image files, primarily linked to QR code phishing—referred to as quishing—constitute more than a quarter of detections. This tactic is particularly effective in hybrid work settings, where employees may use mobile devices that lack the same security protections as corporate endpoints.

The report underscores that much of the malicious activity exploits user trust. Users generally perceive Salesforce as a secure platform, making them more likely to open documents or scan QR codes received through familiar workflows. Attackers capitalise on this trust by disguising harmful content as legitimate business communications, such as case messages or form submissions. Links embedded within these files frequently direct users to phishing sites that impersonate well-known brands. Observed tactics in early 2025 include the use of newly registered domains, lookalike domains, URL shorteners, and the exploitation of legitimate infrastructure like Bing redirect services, allowing malicious traffic to blend seamlessly with normal activity. Furthermore, identity compromise poses a significant challenge, as attackers often utilise OAuth tokens to bypass traditional detection methods. Karmina Aquino, Head of Threat Protection at WithSecure, notes that attackers can gain access without needing to crack passwords or bypass multi-factor authentication by tricking users into approving connected apps. This stealthy approach is enhanced when attackers mimic user behaviour, working during regular hours and accessing familiar objects, which allows them to blend in with legitimate activity. 

Categories: Cybersecurity Threats, Document-Based Attacks, Identity Abuse 

Tags: Salesforce, Attackers, Malicious Activity, Phishing, QR Codes, Document Sharing, Identity Abuse, OAuth Tokens, Detection, Hybrid Work