April 14, 2020

Protecting Salesforce.

When your attacker becomes your customer

By Benny Reich, VP Products

An IT Decision Makers survey[1] indicates that 67% of all companies with over 1,000 employees have been attacked via a collaboration app like Salesforce, Slack, OneDrive, and others.

Ask yourself – Is your Salesforce deployment protected against cyber attacks?

In this blog I will review the threats CRM applications can pose on enterprises, how attackers are taking advantage of these applications and the unique kill chains associated with such attacks. I will accompany this with some examples showing how they can be executed in Salesforce. In the last part, I’ll review shortly what Perception Point does to intercept Salesforce-based threats.


When Your Customer is a Security Risk

Any digital–first enterprise requires the processing of data. A lot of data. This is even more true for B2C companies which have to manage up to millions of customers at the same time. To do so effectively, they must rely on client management platforms – and foremost, Salesforce, the gold standard of CRM apps. However, this IT evolution also has created a new entry point for 21st century attackers. By being more engaged with the outside world, enterprises are also exposing themselves to new threats which were once unheard of.

The CRM domain is a great example of this. An interesting scenario, that in my opinion shows best the magnitude of this threat, is the ability of a customer imposter to maliciously act behind the lines of defense of the targeted enterprise. Quite surprisingly, malicious actors can pretty easily disguise themselves and masquerade as “customers”. Once they have gained access, the attackers can easily upload content with a malicious payload and trigger the malevolent sequence, causing severe damage to their target – either in the form of data theft or –financial gains.


Salesforce 360

Salesforce is the most popular CRM software in the world, with over 150k customers globally. The company offers a wide range of solutions to centralize and manage all customer interactions, including sales, service, marketing, collaboration, communities, commerce and more.

Salesforce Customer 360 is a tool that allows companies to connect Salesforce apps and create a unified customer ID to build a single view of the customer. Sources from all apps are fed into one place, putting the customer (of Salesforce customers) in the center. This action symbolizes the true essence of digital transformation – combining both data, cloud and a focus on customers to create added value.

Source: Salesforce.com

In my view, it also means that Salesforce serves as a micro-cosmos of the modern enterprise, with multiple entry points/interactions with multiple processes within the organization as well as the outside world.

As a result, it is very prone to attacks from “trusted” customers. But this raises questions – how do you know that they are really customers or any other legitimate stakeholder? Should we automatically trust the content being shared? Maybe attackers are counting on it?


The Deceiving Feel of a Secured Channel

Salesforce is perceived as a safe channel. It is highly used by many organizations for many years and it is not often you hear of attacks that are leveraging this app. In other words, from the view of a company providing its services/products, you believe that your support or customer success teams interact only with legitimate customers and relevant stakeholders. Unfortunately, this is a misconception. One of them can be an attacker in disguise that is leveraging your trust to gain access into your organization and create havoc.


The External Kill Chain

In this scenario, I’ll explain how the attacker sets a foot in the door without taking over a user account – i.e. doesn’t become an internal part of the organization but rather an external stakeholder.

In the first stage the attacker becomes a “customer” of the company. This can be by either submitting a form or even taking actual action to portray a legitimate customer. Then, he/she interacts with the company just like any regular customer, thus gaining our trust. Depending on the sophistication of the attacker plans, he/she may stay in this phase for a long time to make sure they are considered to be a “trusted” customer – enabling a more advanced malicious action.

In the next phase, the attack is being prepared – usually creating a malicious piece of content. The attacker also now decides when and how is the best time for the attack and it what form the attack will be disguised. Then, he/she launches the attack by sending the malicious payload. Good delivery methods include sending an email through the salesforce e-mail channel, sharing a file through a customer support request or other sharing means of Salesforce or by answering a form.

Once an unsuspecting customer representative opens such a malicious file or a phishing URL, the organization is breached, resulting in serious damage to its data, financial resources, and brand.


The Internal Kill Chain

In this scenario, the attacker becomes a real intruder: he/she gains authorized access to the organization’s Salesforce system and operates from there.

Firstly, the intruder obtains legitimate log-in credentials of the targeted account via phishing, social engineering, or any other channel. This allows the intruder to explore the system and understand who are the key stakeholders with access to confidential data and/or funds.

The intruder can now send malicious content to different employees in the organization, spreading files or URLs until another user takes the bait. Once the bait is taken, a breach happens within the organization. This is a highly dangerous attack path since virtually all organizations do not scan internal traffic, not to mention internal traffic of collaboration channels.


How It Looks in Real Life

Due to its nature, there are many ways an attacker can leverage the Salesforce platform to breach into the organization. Below are a few examples.

  1. Leveraging Salesforce Customer PortalThe Salesforce Customer Portal is a tool used by companies to manage their relations with end-users in a direct manner.In this example, the attacker pretends to be a client of the company and uses the Customer Portal framework to upload a malicious file. The file is later opened by an employee, unknowingly compromising the entire organization.

  2. Leveraging Salesforce CollaborationAs a Salesforce customer, you may use Quip or other methods to share information, documents, and presentations, and work on them together with your customers. This time, the attacker pretends to be a customer and starts working with you on such shared documents. Alternatively, the attacker obtains the credentials of an existing client of yours and hijack the document thread for his/her benefit.In one of the interactions the attacker turns the shared document into a malicious document or embeds a phishing/malicious URL within the document. Once you open the document or click the link inside the document, the organization is breached.

    It is important to note that the attacker may not even be your “customer”. He can just join your Salesforce community and start interacting with your support or with other customers. By loading a malicious file or URL as part of these interactions, they might cause you, your customers and your partners, all to be breached.

“The Salesforce Loophole” – A full analysis of a Salesforce-borne attack:

In addition, I would like to invite you to read a recent publication about a malicious file transferred via Salesforce to one of our clients. The article demonstrates how attackers think and what they share via CRM apps.


Intercepting Any Malicious Files or URL Upon Upload

Perception Point’s Advanced Salesforce Security scans all content uploaded to your Salesforce intercepting any attempt to use it for malicious purposes, before it reaches the end user employee. The multi-layered solution employs unique anti-evasion algorithms to identify even the most hidden objects and processes each of them separately through three unique static layers and the proprietary dynamic analysis HAPTM layer, making sure no attack gets into your system.

Perception Point’s platform provides Prevention as a Service – working for you instead of you working for the platform.

As part of a partnership with Salesforce, the solution is available on the AppExchange and can be easily installed directly on your service. No additional IT costs nor overhead.

Learn more about Salesforce product here.


[1] See the full report in this link: https://perception-point.io/enterprise-collaboration-security-report/

Contact Us

Connect with our team to:
* Learn more
* Get a live demo
* Get a quote
* Set up a free 30 day trial

We will respond to your enquiry within 24 hours.

Link has been copied to your clipboard!