Body
Phishing Alert – Salesforce Security has been actively tracking a threat actor employing various social engineering tactics. These tactics include impersonating IT Support teams over the phone and directing customers’ employees or third-party support workers to phishing pages designed to steal credentials and MFA tokens or prompting users to navigate to the login.salesforce[.]com/setup/connect page in order to add a malicious connected app. In some cases, Salesforce Security has observed that the malicious connected app is a modified version of the Data Loader app published under a different name and/or branding. Once the threat actor gains access to a customer’s Salesforce account or adds a connected app, they exfiltrate data. It’s crucial to understand that Salesforce’s core services and platform have not been compromised, and this issue is not the result of any vulnerability inherent to Salesforce.
At the University of St. Thomas, we bolster our security by utilizing the following key security configurations and practices:
- Enforce Multi-Factor Authentication (MFA): MFA is an essential, effective tool to enhance protection against unauthorized account access. As sophisticated cyberattacks become more frequent, passwords alone are no longer sufficient to safeguard against unauthorized access.
- Follow the Principle of Least Privilege: Grant users, applications, and integrations with only the permissions needed for a role or function – no more, no less. This limits unnecessary access to sensitive information and significantly reduces security risks.
- Educate Our Users: Reinforce the importance of verifying requests and not clicking suspicious links by educating users on the risks of social engineering and phishing. Salesforce Support will not call you asking you to reset your accounts or login to your instance. is a key best practice for preventing, detecting, and mitigating this type of activity.
- YOU! The good news is ITS has numerous tools and people working behind the scenes to combat these types of attacks. However, even with the best tools we can't catch everything. That is why we need to add another tool to our arsenal, you.
- Please help spread the word that St. Thomas will never ask for your password in an email, text or phone number.
- Watch for suspicious MFA requests, do not authenticate if you aren't actively attempting to log into St. Thomas systems.
- Verify before clicking on links in emails – even if the sender is from St. Thomas.
- Report any suspicious activity to .
- If you're ever unsure feel free to reach out to the .