Protecting Salesforce Data After an Identity Compromise

Once SSO credentials are compromised, attackers can leverage the SSO trust relationship to move laterally into connected applications.

Learn how attackers are using phishing to hijack SSO sessions—and the Salesforce controls that stop them.

Salesforce Security

January 28, 2026 4 min read

A growing vector in today’s threat landscape involves compromising third-party Identity Provider (IdP) credentials or sessions to gain unauthorized access to SaaS environments. Attackers bypass application-level security by exploiting the trust relationship between SaaS platforms and IdPs—typically through phished credentials, stolen session tokens, or MFA fatigue attacks—without needing to exploit vulnerabilities in the SaaS platforms themselves.

If your organization uses a third-party IdP to authenticate into Salesforce, we recommend referencing the specific security controls provided by that vendor. In the interim, Salesforce Security is providing the following guidance to help mitigate risks associated with this threat vector.

The Attack Chain

Threat actors are utilizing custom “phishing kits” to support voice-based attacks. These kits enable the threat actors to control authentication flows in real-time, synchronizing phishing pages with verbal instructions delivered over the phone to targeted users.

The campaigns are typically carried out in the following phases:

Phase 1: Reconnaissance & Targeting

The threat actor identifies organizations that use centralized SSO for authentication. They gather employee names, phone numbers, job titles, and IT support contact information from publicly available sources to develop a social engineering pretext, often impersonating IT support or security personnel.

Phase 2: Initial Compromise

The threat actor contacts the user via phone, often spoofing legitimate IT support numbers. The user is directed to navigate to a fraudulent IdP login page under the pretext of a security verification or system update. The phishing kit captures the username and password and notifies the attacker in real-time.

Phase 3: MFA Bypass via Real-Time Session Orchestration

The threat actor enters the stolen credentials into the legitimate SSO login portal. They observe which Multi-Factor Authentication (MFA) challenge is presented (e.g., Push, SMS, TOTP) and update the phishing website to mirror this request. The user is prompted to complete the MFA challenge on the fraudulent site. Once the user completes the action, the phishing proxy intercepts the session cookies and bearer tokens issued by the real IdP.

Phase 4: Access & Data Exfiltration

Using the stolen session token, the threat actor gains authenticated access to the victim’s SSO session without needing the original credentials or a second MFA approval. From here, they may attempt to move laterally into Salesforce to run bulk reports, query APIs, or download sensitive business data.

Detection & Response

Phishing kits are designed to bypass standard MFA methods—such as push notifications, SMS codes, and mobile authenticator codes—by tricking the user into facilitating the login.

To defend against this, Salesforce recommends implementing Phishing-Resistant MFA.

Unlike standard MFA, phishing-resistant methods use cryptographic, device-bound, and origin-bound authentication. Because the authentication is cryptographically bound to the legitimate domain (e.g., login.salesforce.com), a phishing kit hosted on a fake domain cannot successfully intercept the credentials.

Examples of phishing-resistant standards include:

FIDO2/WebAuthn hardware keys (e.g., YubiKey, Google Titan)
Platform authenticators (e.g., Windows Hello, Apple FaceID/TouchID)
Certificate-based authentication (e.g., Smart Cards)

Immediate Mitigation Steps

If you suspect your SSO environment has been compromised, we recommend taking the following actions immediately:

Contain: Revoke all active IdP sessions for affected users, reset IdP passwords, re-enroll MFA devices, and check for bulk data exports or API usage.
Investigate: Review IdP system logs for authentication events and examine Salesforce “Login History” for access from unusual IP addresses or geographic locations.
Remediate: If unauthorized data access is suspected, revoke OAuth tokens and Connected App sessions immediately.

Implement Strategic Security Controls

To protect against future threats and establish a strong security baseline, administrators should implement the following defense-in-depth controls:

Enforce Phishing-Resistant Authentication: Transition users to FIDO2/WebAuthn security keys or platform authenticators. Update IdP policies to enforce these methods specifically for the Salesforce application.
Implement Network Restrictions: Use “Login IP Ranges” in Salesforce to restrict access to known corporate networks or VPNs. Configure your IdP to block access from anonymizing services (e.g., Tor, unknown proxies).
Harden Session Security: Enable the Salesforce setting “Lock sessions to the IP address from which they originated” to prevent session hijacking. Set aggressive session timeout policies to reduce the window of opportunity for attackers.
Restrict Data Export Capabilities: Review and reduce/limit user permissions for “View All Data” and “Modify All Data” for all user profiles, disable Data Loader access for users who don’t require it, implement approval workflows for large data exports and monitor and alert on bulk API operations.
Deploy Detection & Monitoring: Leverage tools like Salesforce Shield Event Monitoring to track data export activity and configure alerts for unusual login patterns or bulk API operations.

User Awareness & Verification

User awareness of the threat landscape, specifically how and why users are being targeted to gain information, is essential to protecting against social engineering. Educate users that Salesforce IT Support will never ask them to log in during an unsolicited call, and establish a clear protocol where users can verify the identity of a caller (e.g., a “call back” policy using official internal numbers).

Conclusion

The convergence of sophisticated phishing kits, voice-based social engineering, and SSO relationships creates a critical threat to connected systems. Organizations must prioritize phishing-resistant authentication and assume that traditional MFA methods (push notifications, SMS codes) can be defeated when combined with social engineering.

Phishing-resistant MFA at the SSO layer is the strongest defense—but it requires enterprise-wide rollout and broader team coordination. We recommend following the security guidance provided by your specific IdP. If you require assistance with your Salesforce instance, we encourage you to reach out to Support via the Help Portal.