The Salesloft Drift attack drives home the fact that modern account takeover defenses must expand beyond perimeter security to monitor the entire environment, including interconnected cloud applications for legitimate but abused access.
The recent supply chain attack involving Salesloft and Drift feels less like a novel technique and more like a modern evolution of a classic: the watering hole attack. Traditionally, a watering hole attack involves compromising a website frequented by a specific target group. Instead of going after the primary targets directly, attackers infect a trusted third-party site and simply wait for their victims to arrive.
The Salesloft/Drift incident follows the same strategic blueprint, but with a worrying upgrade in venue. The compromised "watering hole" wasn't a niche forum or an industry blog; it was a widely-used and trusted B2B SaaS application. By compromising this central hub, the attackers gained access to the sensitive data of downstream organizations that relied on the platform. It's a stark reminder that as our cloud workspaces become more interconnected, the "watering holes" we frequent are no longer just websites, but the critical applications that power our daily operations.
As details of the incident continue to emerge, they highlight the complexities of today’s email and cloud office threat landscape, and underline the need to change the way we think about protecting against account takeover attacks.
What happened?
By now, anyone reading this blog is at least aware of the extensive SaaS supply chain attack involving Salesloft Drift. But it’s helpful to walk through a timeline of events to understand just how the dominos fell, and how broadly account takeovers can spread if left undetected.
A threat actor tracked as UNC6395 conducted an extensive attack that led to the exfiltration of email and other sensitive data from a range of organizations. Here’s a rough timeline as the incident is understood at time of writing:
- March 2025: Initial access - The attackers gained access to Salesloft’s GitHub account, though it’s currently unknown exactly how they gained access initially.
- March-June: Data gathering and initial exfiltration - The attackers downloaded source code and performed reconnaissance on the Salesloft and Drift environments.
- August: Internal and external expansion - Leveraging their existing access, the attackers pivoted to Drift’s AWS environment, where they stole OAuth tokens used for Drift integrations. Those stolen tokens, in turn, allowed them to then pivot their access to several dozen customer Salesforce instances on which the Drift integration was enabled, as well as email accounts integrated with Drift Email.
- August 8-18: Exfiltration and evasion - The attackers performed mass exfiltration of CRM data from customer Salesforce instances and data from the compromised Google Workspace and Microsoft inboxes. The attackers also deleted query jobs to cover their tracks and minimize the chances of detection.
As summarized in this GTIG post on August 26th, the attackers leveraged compromised OAuth tokens to gain access through a legitimate integration. That is, there was no link clicked in a phishing email, no social engineering, no Hollywood hack. The attackers effectively walked in through a side door after stealing a key.
This type of ATO attack gives attackers incredibly deep and unfettered access to sensitive data and critical systems. And, as we’re seeing in real time, that access can spread beyond a single organization at incredible speed.
What makes this attack unique, and why traditional security struggles
This is far from the first major breach to stem from stolen credentials or OAuth abuse. However, the attackers’ rapid expansion across the SaaS supply chain is unprecedented, particularly given the companies involved.
Because the attackers were using legitimate tokens (acquired illegitimately, of course), they were able to infiltrate the CRMs and mailboxes of leading security companies like CloudFlare, Google, and Palo Alto, virtually undetected over the course of four months. The several-month dwell time, combined with the programmatic access that the tokens offered, likely meant a significant amount of data was exfiltrated–and the investigation conducted by Palo Alto’s Unit 42 confirms this.
This attack perfectly encapsulates why account takeovers are so difficult to detect, and the very real risk that OAuth applications represent. Because the tokens used in the attack were expected to be used, nothing the attackers did tripped any intrusion detection or prevention systems. Each time they expanded into a new environment or system, they did so with legitimate access tokens.
A reality we must face is traditional defenses by themselves are not enough to stop today’s threats:
- Phishing and endpoint malware are far from the only way in to your corporate cloud environments
Today, the security industry is overly-focused on phishing and end-point malware as the ways into their corporate cloud assets, and specifically their cloud office environment. In this scenario phishing and malware weren’t involved, in fact no user interaction was necessary: the companies impacted were not phished. Phishing is a top concern for many CISOs, and understandably so, but it’s just one of many ways into the cloud office.
- Leaked user credentials are not the only source of unauthorized access
The attackers in this case were able to steal legitimate tokens for authorized apps–while again, it’s possible that the original breach stemmed from a leaked credential, for the majority of companies involved, the access into their systems came through what appeared for all intents and purposes to be legitimate access. Another lesson here is that as user auth continues its path towards being phishing resistant with WebAuthn, attackers are privoting to other methods and we are seeing more attacks that do not originate with phishing.
- Legitimate apps being abused are almost impossible to detect
Once an app is authorized into your environment, it’s really difficult to detect that something bad is happening. Malicious activity is hard to differentiate from legitimate activity.
- Post-breach resiliency must be part of your security controls
All of the above means that it’s not enough to simply try to detect and respond to intrusions alone. The variety of infiltration methods available to attackers–and the difficulty in detecting that access–means organizations must assume there will be some dwell time when attacks occur. Compensating controls must be in place to reduce potential damage in the time between the attack and its discovery.
- An integrated approach is the most effective way forward
Operating security tools in silos creates gaps in visibility, making it harder to detect subtle (or even not-so-subtle) issues, which leads to increased dwell time, and greater risk of data exfiltration and expansion. Cloud workspace protections–email, file, and account security–needs to be integrated internally, and that protection in turn needs to be integrated with the broader security stack in order to detect and respond to these emerging threats.
What is abundantly clear is that a focus on detecting intrusions originating with user accounts or devices alone is far too narrow, and drastically limits the scope of attacks a system can detect. While inbound phishing protection is a critical part of a holistic strategy, the Salesloft Drift breach is just the latest among countless examples that proves it’s nowhere near sufficient. There are too many ways in–and attackers are increasingly finding ways to abuse legitimate ones.
The only way to effectively navigate today’s threat landscape is to combine perimeter defenses with detection and response across your critical accounts–and data those accounts can access. The ability to detect unusual or potentially risky activity within the environment and around the perimeter is critical against threats like this.
In other words, it’s not just enough to try and detect unauthorized access: suspicious behavior like large amounts of data being exfiltrated or apps doing things they haven’t done before must also be detected.
Security beyond the entry point
Unifying traditional email security with modern cloud office security was the founding goal of Material, and it has driven us ever since. From protecting sensitive email data, to securing file sharing without interrupting collaboration, to protecting user accounts–and tying all of those areas together with context and signals from each to provide a deeper ability to detect subtle threats, contain the blast radius of compromises, and proactively harden environments.
The reach of the Salesloft Drift incident is a critical reminder that the status quo simply isn’t built to stop the threats we’re facing today. The vast majority of today’s businesses are operating almost entirely on cloud applications, linked and integrated together to form the digital operating core of these organizations.
Today’s security demands the environment be monitored inside and out, from inbound threats and potential intrusions to unusual behavior and risky configurations within. Material delivers intelligent context-aware detections with swift automated response capabilities and robust investigative powers across the entire cloud office. Anything less isn’t a security strategy: it’s just hope.
To learn more about how Material is approaching today’s threats, contact us today.