SaaS Data Theft: How UNC3944, UNC6040, and UNC6395 Quietly Redefined Cloud Risk

UNC3944, UNC6040, and UNC6395 are executing targeted campaigns against SaaS, cloud, and virtualization environments, leveraging vishing, OAuth abuse, and supply-chain compromise. Their TTPs require precise, telemetry-driven controls and detection.

Vishing Meets Cloud: UNC6040’s Abuse of Salesforce Connected Apps for Stealthy Data Exfiltration

🎧☁️ When the “help desk” helps itself. UNC6040’s phone-phishing swarm hijacks Salesforce via a doctored Data Loader — Google fingers 20+ victims (and counting).