Supply-chain attack hits Zscaler via Salesloft Drift leaking customer info – Securityaffairs.com


Published on: 2025-09-01

Intelligence Report: Supply-chain attack hits Zscaler via Salesloft Drift leaking customer info – Securityaffairs.com

1. BLUF (Bottom Line Up Front)

The most supported hypothesis is that the supply-chain attack on Zscaler through Salesloft and Drift was primarily aimed at stealing OAuth tokens to gain unauthorized access to Salesforce and Google Workspace accounts. This campaign appears to be part of a broader strategy targeting sales automation platforms. Confidence level: Moderate. Recommended action: Immediate review and rotation of OAuth tokens and credentials, enhanced monitoring of affected systems, and increased vigilance against phishing and social engineering attacks.

2. Competing Hypotheses

1. **Hypothesis A**: The attack was a targeted effort to steal OAuth tokens specifically for accessing Salesforce and Google Workspace accounts, with the aim of exfiltrating sensitive business data.
2. **Hypothesis B**: The attack was part of a larger campaign to compromise multiple SaaS platforms, with the primary goal of establishing persistent access for future exploitation or espionage activities.

Using the Analysis of Competing Hypotheses (ACH) 2.0, Hypothesis A is better supported due to the specific mention of OAuth token theft and the immediate impact on Salesforce and Google Workspace integrations. Hypothesis B remains plausible but lacks direct evidence of broader campaign objectives beyond the immediate token theft.

3. Key Assumptions and Red Flags

– **Assumptions**: The attackers’ primary motive was data theft rather than system disruption. OAuth tokens are the main vector of compromise.
– **Red Flags**: The lack of detailed information on the attackers’ identity and ultimate objectives. Potential underestimation of the attack’s scope if it is part of a larger campaign.
– **Blind Spots**: Limited visibility into the full extent of data accessed or exfiltrated due to the breach.

4. Implications and Strategic Risks

The attack highlights vulnerabilities in SaaS integrations, particularly those relying on OAuth tokens. This could lead to increased scrutiny and regulatory pressure on SaaS vendors to enhance security measures. There is a risk of cascading effects if similar attacks exploit other interconnected platforms, potentially affecting a broader range of industries. Geopolitically, such attacks could strain relations between countries if state-sponsored actors are involved.

5. Recommendations and Outlook

  • **Immediate Actions**: Rotate all OAuth tokens and credentials associated with affected platforms. Implement enhanced monitoring and anomaly detection for unauthorized access attempts.
  • **Mid-term Actions**: Conduct a thorough security audit of all third-party integrations and strengthen authentication mechanisms.
  • **Scenario Projections**:
    – **Best Case**: The breach is contained with no further unauthorized access, leading to improved security practices across the industry.
    – **Worst Case**: The attack is part of a larger, coordinated effort that results in significant data breaches across multiple sectors.
    – **Most Likely**: Continued attempts to exploit similar vulnerabilities, prompting incremental improvements in SaaS security protocols.

6. Key Individuals and Entities

– **Entities**: Zscaler, Salesloft, Drift, Salesforce, Google Workspace, Google Threat Intelligence Group (GTIG), Mandiant.

7. Thematic Tags

national security threats, cybersecurity, supply-chain vulnerabilities, SaaS security, data exfiltration

Supply-chain attack hits Zscaler via Salesloft Drift leaking customer info - Securityaffairs.com - Image 1

Supply-chain attack hits Zscaler via Salesloft Drift leaking customer info - Securityaffairs.com - Image 2

Supply-chain attack hits Zscaler via Salesloft Drift leaking customer info - Securityaffairs.com - Image 3

Supply-chain attack hits Zscaler via Salesloft Drift leaking customer info - Securityaffairs.com - Image 4