In August 2025, the cybersecurity world witnessed another stark reminder of the risks posed by supply chain attacks. A trusted third-party SaaS provider, Salesloft Drift, became the weak link in a widespread campaign attributed to threat actor UNC6395.
By compromising Drift’s handling of OAuth tokens, attackers were able to access the Salesforce and Google Workspace environments of some of the world’s largest companies. The incident underscores a growing reality: organizations are only as secure as their vendors, integrations, and partners.
What Happened?
- Salesloft Drift Compromise: Attackers obtained OAuth tokens stored by Drift for customer integrations. These tokens acted as “keys” to Salesforce and Google Workspace.
- Widespread Impact: Companies including Zscaler and Palo Alto confirmed exposure of Salesforce data, with Google verifying limited access to mailboxes connected via Drift Email.
- Data Exfiltration: Threat actor UNC6395 systematically exported Salesforce objects (Accounts, Contacts, Cases, Opportunities, Users) and searched for sensitive secrets such as AWS keys, Snowflake tokens, and passwords.
- Anti-Forensics: The actor deleted executed queries inside Salesforce to hide traces, though logs remained intact.
This was not a vulnerability in Salesforce or Google. It was a compromise of Drift as the supply chain entry point, which then cascaded into its customers’ environments.
Why This Matters to You
The Drift incident highlights the ripple effect of supply chain compromises:
- Trust as an Attack Vector: Organizations trusted Drift with API integrations, which attackers then abused.
- Enterprise-Grade Victims: Even security leaders like Zscaler were impacted, proving no company is immune.
- Regional Relevance: Enterprises in the UAE and wider GCC increasingly adopt SaaS integrations for CRM, collaboration, and productivity. Without proper safeguards, a compromise in a vendor’s platform could directly expose sensitive business and government data.
If attackers can compromise multinational corporations through a third-party SaaS provider, they can do the same to any organization relying on similar integrations.
How Help AG Can Help
At Help AG, we recognize that protecting against supply chain attacks requires both proactive and reactive measures. Our services are designed to help organizations in the UAE and GCC secure their extended digital ecosystem:
- Digital Risk Protection and Suppliers monitoring
- We continuously monitor your suppliers, SaaS platforms, and technology partners related risks.
- Our DRP team monitors the surface web, dark web, and criminal forums for exposed credentials, OAuth tokens, and data leaks related to your organization or vendors.
- If suspicious activity is detected, we provide immediate alerts and takedown services to reduce exposure and prevent exploitation.
- Cyber Threat Intelligence (CTI) & Hunting
- Help AG’s CTI analysts track global campaigns like UNC6395 and proactively deliver region-specific insights to our customers.
- Our Threat Hunting services enable early detection of anomalies in cloud logs, Salesforce activity, and third-party integrations.
By combining DRP & Suppliers monitoring and CTI, we give you visibility into your entire supply chain and help ensure that an incident like the Salesloft Drift compromise does not become your organization’s breach story.
Conclusion
The Salesloft Drift compromise is a textbook case of a supply chain attack — attackers targeting a trusted vendor to gain access to multiple downstream customers. By abusing OAuth tokens, UNC6395 bypassed traditional authentication safeguards and exfiltrated sensitive enterprise data.
For organizations in the UAE and globally, this incident reinforces a critical truth: your security depends on your supply chain. Now is the time to strengthen vendor risk management, tighten integration controls, and adopt Zero Trust principles.
Because when a supplier is compromised, your business could be next.
