TL;DR

• Enforce phishing-resistant MFA (FIDO2/hardware tokens) for all privileged SaaS/cloud accounts; track adoption via IAM dashboards, aiming for >90% within 60 days.
• Centralize SaaS audit logs with at least 12-month retention; enable immutable logging and real-time alerts for mass exports, log deletions, and OAuth-token changes.
• Restrict SaaS connector permissions to business-justified users; review and revoke unused/high-risk OAuth tokens quarterly using automated IAM or SaaS platform reports.
• Monitor for spikes in vishing, SIM swaps, OAuth-token theft, and unexplained SaaS log gaps—retail sector incidents rose 11% in 2025.

The story in 60 seconds

UNC3944, UNC6040, and UNC6395 are reshaping the SaaS threat landscape with persistent, financially motivated attacks. UNC3944 (“Scattered Spider”) uses vishing, SIM swapping, and Okta/SSO abuse to steal data from platforms like Salesforce and Workday, with retail sector victims rising sharply in 2025. UNC6040 exploits SaaS supply-chain integrations and OAuth tokens, automating data exports in finance and healthcare. UNC6395 targets OAuth token compromise (notably via Drift/Salesforce), enabling rapid, stealthy exfiltration and log deletion. All three clusters employ advanced OPSEC—log tampering, ephemeral VMs, and token rotation—making detection and response increasingly difficult, and increasing the risk of regulatory and business impact.

Why it matters

SOC

• Monitor Okta user.account.import and user.mfa.factor.deactivate events; alert on mass SaaS data exports and log deletions.
• Track new or unapproved SaaS connector activity; flag anomalous API calls and OAuth-token refreshes.
• Validate log integrity weekly; ensure 12+ month retention for Okta, Salesforce, and major SaaS platforms.

IR

• Preserve immutable SaaS/Okta/Salesforce logs for at least 12 months; document log gaps and deletion attempts.
• Triage for log tampering (e.g., missing sequential IDs, abrupt log-volume drops) and ephemeral VM use.
• Correlate attacker infrastructure (e.g., okta-support[.]com, drift-oauth[.]net) with ASN/WHOIS enrichment; prioritize rapid containment of OAuth-token theft.

SecOps

• Use IAM dashboards or periodic audits to baseline and track FIDO2/hardware MFA adoption for all admins.
• Audit and restrict SaaS/OAuth integrations quarterly; automate token review and revocation where possible.
• Require SaaS vendors to provide immutable logging, granular API permissions, and export-approval workflows; document vendor compliance.

Strategic

• Quantify sector-specific risk (e.g., 10%+ retail leak-site surge); include SaaS/identity security in risk registers and board reporting.
• Mandate quarterly reviews of SaaS connectors and privileged access; escalate non-compliance to executive committee.
• Engage vendors for compliance with logging, DLP, and incident-response SLAs; benchmark against ENISA and regulatory standards. Highlight potential for regulatory fines, customer churn, and reputational loss from SaaS data breaches.

See it in your telemetry

Network

• Detect outbound connections to attacker infrastructure (e.g., 185[.]225[.]69[.]69, 45[.]61[.]136[.]77, 91[.]219[.]236[.]15); enrich with ASN/WHOIS.
• Monitor SaaS API calls to new/unusual destinations (Airbyte, Fivetran, Drift); alert on large or anomalous exports.
• Track OAuth-token refreshes and connector exports; baseline normal activity and flag deviations.

Endpoint

• Flag EDR disablement on ephemeral cloud VMs; monitor for credential harvesting tools and info-stealer malware.
• Detect rapid account switching or privilege escalation in SaaS/SSO sessions; correlate with helpdesk reset events.
• Alert on new privileged account creation or mass token deactivations.

SaaS/Cloud

• Monitor Okta/Salesforce logs for missing sequential IDs, deletions, or sudden log-volume drops; escalate unexplained gaps within four hours.
• Alert on new privileged connector permissions, mass exports, and export-approval bypasses.
• Track helpdesk reset requests for social engineering patterns (vishing, SIM swap); require callback validation and supervisor approval.

High Impact, Quick Wins

• Achieve >90% FIDO2/hardware MFA adoption for all admins within 60 days; baseline using IAM dashboards and report progress to CISO.
• Centralize and secure SaaS logs with at least 12-month retention; enable immutable logging and real-time SIEM alerts for exfiltration and log tampering.
• Inventory and restrict all SaaS connectors; require business justification, quarterly review, and immediate revocation of unused/high-risk tokens.
• Simulate vishing/SIM-swap attacks in helpdesk training; target a 75% reduction in fraudulent resets from current quarterly average and report results quarterly.

Comparative Analysis: UNC3944, UNC6040, and UNC6395 – Financially Motivated Threat Actor Clusters Targeting SaaS and Cloud Environments

UNC3944

Profile: Operational History, Attribution, and Victimology

Operational History & Attribution:
UNC3944 (“Scattered Spider”) is a financially motivated, English-speaking eCrime cluster active since at least 2022. The group is known for persistent social engineering, SIM swapping, and targeting of SaaS/cloud environments. Attribution is supported by Google Threat Intelligence, CISA, and independent research.

Victimology:
Targets include technology, telecom, financial services, BPO, gaming, hospitality, and retail, with a focus on English-speaking and multinational organizations.

Tradecraft: Initial Access, Lateral Movement, Exfiltration

• Initial Access:

  • Social engineering (vishing, phishing, help desk impersonation)
  • SIM swapping to hijack MFA
  • Credential harvesting via phishing and info-stealer malware

• Lateral Movement:

  • Abuse of Okta/SSO providers (self-assigning compromised accounts)
  • Use of rogue virtual machines for persistence

• Exfiltration:

  • Cloud sync tools (Airbyte, Fivetran) to attacker-controlled storage
  • Data theft from Salesforce, CyberArk, Workday

2024–2025 Campaign Timeline Example:

• May 2024: Initial compromise via vishing and SIM swap ➡ Okta abuse for lateral movement ➡ Exfiltration of SaaS data via Fivetran to S3 bucket

OPSEC and Anti-Forensics

• Disables endpoint monitoring/EDR
• Uses ephemeral VMs and log suppression (Okta event field tampering)
• Rotates accounts and infrastructure

Recent Campaigns (2024–2025) and Impact

• 2024: SaaS data theft from Salesforce, CyberArk, Workday
• 2025: Coordinated attacks on retail/hospitality, rapid exfiltration/extortion
• Retail sector victims rose to 11% of all leak-site postings in 2025 (analyst estimate, based on DarkFeed dataset)

UNC6040

Profile: Operational History, Attribution, and Victimology

Operational History & Attribution:
UNC6040 is a financially motivated cluster specializing in SaaS supply chain/integration attacks, vishing, and OAuth abuse. Attribution is ambiguous; overlaps with “The Com” and Scattered Spider affiliates are possible.

Victimology:
Targets large enterprises with complex SaaS environments, especially those with third-party integrations (HR, CRM, productivity). Sectors: finance, healthcare, technology.

Tradecraft: Initial Access, Lateral Movement, Exfiltration

• Initial Access:

  • Vishing and phishing targeting IT/admin staff
  • Compromised SaaS connectors and OAuth token abuse

• Lateral Movement:

  • Privilege escalation via OAuth token manipulation
  • Exploitation of trusted third-party integrations

• Exfiltration:

  • Automated data exports via compromised integrations
  • Use of SaaS APIs to bypass network controls

2025 Campaign Timeline Example:

• March 2025: Vishing call to IT helpdesk ➡ OAuth token theft via malicious integration ➡ Automated export of HR data via SaaS API

OPSEC and Anti-Forensics

• Rotates VoIP numbers and ephemeral cloud servers
• Suppresses SaaS audit log fields, rotates OAuth GUIDs
• Uses server-side encryption toggling to obscure exfil events

Recent Campaigns (2024–2025) and Impact

• 2024: Financial/healthcare sector SaaS supply chain compromise
• 2025: Exploited SaaS connectors for mass data exfiltration, business disruption

UNC6395

Profile: Operational History, Attribution, and Victimology

Operational History & Attribution:
UNC6395 is a financially motivated actor responsible for a 2025 data theft campaign targeting Salesforce via compromised OAuth tokens (Salesloft Drift). Attribution is supported by Google Threat Intelligence, AppOmni, and ACSC advisories.

Victimology:
Organizations integrating Drift with Salesforce, especially those storing credentials in CRM objects. Sectors: technology, finance, SaaS-heavy enterprises.

Tradecraft: Initial Access, Lateral Movement, Exfiltration

• Initial Access:

  • OAuth token compromise via third-party app vulnerabilities or phishing

• Lateral Movement:

  • Limited, but may pivot to other SaaS platforms if credentials are found

• Exfiltration:

  • Automated data export using Salesforce APIs
  • Rapid, stealthy exfiltration via legitimate API calls/cloud storage

2025 Campaign Timeline Example:

• August 2025: OAuth token theft via Drift ➡ Automated Salesforce export ➡ Secrets search and exfiltration

OPSEC and Anti-Forensics

• Deletes Salesforce event logs, rotates OAuth tokens post-exfiltration
• Minimal on-platform activity, toggles server-side encryption

Recent Campaigns (2024–2025) and Impact

• 2025: Systematic export of Salesforce data, search for high-value secrets (AWS keys, passwords, Snowflake tokens)
• Prompted urgent remediation across Salesforce ecosystem

Comparative Matrix: TTPs, OPSEC, and Campaign Impact

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

1. Harden SaaS and Cloud Identity Security (30/60/90-Day Roadmap)
   Actions
   • 30 Days: Mandate ... (SUBSCRIBE TO UNLOCK!!) ... accounts. Review and restrict help-desk password- or PIN-reset workflows—require callback validation, unique case IDs, and supervisor approval for every reset.
   • 60 Days: Audit all ... (SUBSCRIBE TO UNLOCK!!) ... and require staff training (simulate vishing/SIM-swap scenarios).
   • 90 Days: Enforce ... (SUBSCRIBE TO UNLOCK!!) ...