🦅The Only Newsletter That Hunts in Your Favor

Each edition of The Daily Raptor delivers sales intel with the subtlety of a hungry raccoon in your data center.

Cybersecurity Sales Teams: Three times a week our research analysts take the waterboarding and polygraphs, so you can take the commissions. Fair trade.

Got aspirational friends in cyber sales? Forward this along! Let’s sharpen their craft and help them sell smarter at dailyraptor.com.


Friday, June 6th, 2025 Edition

Before we kick things off: the Wednesday, June 4th, 2025 edition of The Daily Raptor was very well-read and widely discussed, sparking conversation and critical thinking across the industry (always a good thing!). If you're behind in reading or missed that issue, take a step back and catch up first—the topic is critically important and high impact for our clients.
Click here to read it: The Daily Raptor, June 4th, 2025

Today we have a new target: it’s us!

A newly exposed attack method from Google's Threat Intel team (Threat UNC6040) is setting off alarms across the cybersecurity community—and not just for our customers. Yes, CIOs and CISOs are already strategizing how to defend their organizations. But here’s the kicker: this threat hits close to home for us.

As cybersecurity sellers—highly mobile, heavily reliant on tools like Salesforce—we’re prime targets, too.

Today, we need to think in two dimensions:

  • How can we guide and protect the CIO/CISO community from this evolving vishing campaign?

  • How do we safeguard ourselves and our companies—the very people selling cybersecurity—from being exploited by the same techniques?

What’s the real threat situation?

Imagine this: you’re a busy field sales rep (the irony—you are one!). You get a call from someone claiming to be from your company’s IT help desk. They sound legit—they know your name, your role, and even reference tools you use daily, like Salesforce.

They explain there’s a critical security update needed and direct you to log into the Salesforce app, navigate to specific pages, and install what appears to be a Salesforce update. You’re moving fast, you trust your internal teams—but that app is actually a fully customized malicious tool designed to steal your credentials and exfiltrate sensitive Salesforce data.

This is exactly the type of vishing attack recently exposed by Google's Threat Intel team targeting corporations—including people like you. UNC6040’s campaign isn’t just another phishing wave—it’s a personalized, voice-led infiltration strategy that could quietly compromise both you and the organizations you serve.

Understanding how these social engineering attacks work is crucial to helping protect your customers—and yourself.

What are the threat mechanics?

  • Highly personalized voice phishing (vishing)

  • Familiar tools used as bait (e.g., Salesforce)

  • Credential theft and deep infiltration

  • Delayed ransom demands after long dwell times

What should we share with our CIOs/CISOs?

Start with situational context. Here are a few resources to read and share with clients:

For client engagement, we've also provided a Security Alert Newsletter Graphic. By the way, we left these infographics unbranded so you can use them freely with clients. They’re designed to be simple and easy to understand across all levels of an organization.

What should we send CIOs/CISOs (Their Internal Sharing)?

Here’s a high-level overview of the initial attack stage—the best phase to intervene and mitigate lasting harm:

Business Impact

  • Extended Dwell Time: Attackers can remain undetected for months or even years. The Salesforce database could be sold or traded later. Ransom demands are reportedly surfacing approximately six months after initial "IT help desk" contact.

  • Compliance Violations: Depending on the type of data stolen, losses could severely damage customer confidence, regulatory standing, and open the door to future ransom demands.

  • Incident Response Complexity: Forensic analysis is complicated by the long dwell time. However, deep log analysis may still uncover evidence.

The bottom line

UNC6040 demonstrates that cloud security’s weakest link isn’t technology—it’s human trust. When attackers can gain full Salesforce access through a 15-minute phone call using only legitimate tools, traditional security controls become irrelevant.

CIOs must shift focus from merely protecting against malware to protecting against manipulation, making employee verification protocols and behavioral anomaly detection as critical as any technical safeguard.

Have a wonderful weekend, Raptors!

The DR Team

/smb

PS: Ivy, without fail, has an opinion on the market news…

Keep Reading

No posts found