If you are running Salesforce in production and you are sleeping well at night, you are probably missing something ugly.

What I am laying out here is not a theoretical future risk. It is already in play in government and critical infrastructure circles [ASPI]. Most enterprise IT teams, and almost all Salesforce owners, are still treating it as background noise instead of the structural security shift it actually is.

For me, the biggest blind spot right now is a three phase problem:

• People underestimate what AI is already doing for attackers.
• Phishing, supercharged by AI, is now the easiest path to your most privileged accounts.
• Attackers are starting to use AI to adapt in real time when you try to shut them down.

Salesforce sits right in the blast radius of all three.

Phase 1: You are not seeing the real scale of AI enabled attacks

Most board papers and security briefings reduce the AI problem to things like better wording in scam emails or the possibility of deepfakes. That is noise. The real story is volume, speed and automation.

Attackers are now using AI to automate whole attack chains, not just write copy. You have tools that can: [Anthropic case] [AI-led espionage]

• Enumerate your public SaaS footprint.
• Find Salesforce domains, sandboxes, forgotten Experience Cloud sites and old subdomains that still resolve.
• Work out which IdP or SSO you use and which flows look weakest.
• Generate credential stuffing and password spraying runs that sit just under your crude rate limits.

On top of that, AI is being plugged into existing toolchains to scan networks, find exposed services and chain exploits at a speed and scale that a human red team cannot match [Threat actors using AI]. Identity based attacks and the abuse of valid credentials are already making up a significant chunk of intrusions [Identity attacks data].

Most Salesforce customers still think in terms of:

• The odd password spray against VPN or OWA.
• A couple of suspicious login attempts a week on their IdP.
• The occasional brute force on some legacy on prem box.

That mental model is wrong. You are not dealing with a bored teenager with a script. You are dealing with semi automated systems that treat the whole Internet as one big target set and grind away at it constantly.

Phase 2: Phishing is the primary door and AI turns it into a key cut for your lock

Let us talk about the thing that actually gets people owned.

Phishing is still the top initial attack vector in real breaches and one of the most expensive ways to get compromised [Phishing top vector] [Breach cost stats] [IBM breach report summary]. On top of that, there is a sharp increase in infostealer malware delivered via email and chat. Recent threat intelligence shows an 84 percent jump in emails carrying infostealers year on year, with even higher growth in early 2025 [IBM X-Force 2025] [84% infostealer spike] [Infostealer surge]. Once that stuff lands on a user machine, credentials and tokens are gone.

Now layer AI on top.

You have:

• Emails that read exactly like internal corporate mail, not the old clumsy scam attempts [Security forecast] [SoSafe AI phishing study].
• Messages that are personalised from public and internal data: job title, project names, reporting lines, even writing style [Hoxhunt AI spear phishing].
• One prompt and a minute of time to generate a working phishing site or payload, backed by purpose built tools sold on the dark web like WormGPT and FraudGPT [WormGPT/FraudGPT] [WormGPT overview] [FraudGPT in use].

There is already research showing that AI assisted spear phishing tricks a scary percentage of targets in controlled experiments. Older work showed AI generated emails outperforming human written phishing [Wired AI phishing] and more recent studies and real world campaigns show AI agents beating elite red teams and driving very high open and click rates [AI vs human red teams] [One in five click] [Phishing performance data].

In the wild, you are seeing attachments and links that get past filters, drop users into fake login flows, and steal cookies or one time codes [Verizon DBIR] [DBIR summary].

For Salesforce, this matters because your doors are not firewall ports any more. Your doors are:

• Global system administrators and delegated admins.
• IdP owners who can bypass policies or change SSO rules.
• Owners of integration and service accounts that talk to billing, finance and data hubs.
• Finance and sales leaders who can approve payments and changes without a second signature.

An attacker does not need a thousand victims inside your company. They need one with the right set of privileges.

A realistic prompt a criminal could use with a generic writing tool looks like this:

You are writing on behalf of the CIO of ExampleCorp.
Target: Jane Smith, Salesforce Platform Owner.
She reports to the CIO, cares about uptime and compliance, and has been involved in a recent Salesforce permissions review.
Write a short internal style email, no marketing fluff, asking her to review an urgent security export attached as a PDF.
Reference the ongoing permissions review and the need to confirm that MFA policies are applied correctly for integration users.
Tell her to use the link in the document so that the audit trail is recorded.

You know how this ends. The attachment drops her into a fake login with a cloned theme or steals her session. The wording is good enough to skate past naive content checks and distract a busy admin.

Once they have a working session or OAuth token, Salesforce is just another API. The same kind of tooling that wrote the email can help them enumerate objects, fields and data volumes and generate queries that quietly drain what they want.

Phase 3: AI is closing the response window when you try to shut things down

The third part of the problem is the one almost nobody is talking about.

In the old world, there was a useful window between you blocking something and the attacker regrouping. You could cut off an IP range, tune a rule, and buy yourself a few days or weeks while someone on the other side changed tactics.

AI is chewing into that window.

You are starting to see toolchains where:

• Recon, port scanning, vulnerability triage and exploit selection are wired together in one pipeline.
• The system reacts to changes in your response, tries alternatives, and learns which patterns get through [AI offensive pipelines].
• Brute force and credential attacks are tuned automatically for each target environment so they stay under thresholds and avoid obvious alarms [Credential abuse trend].

Think about how that looks against your own environment:

• Automated recon quickly identifies IdP endpoints, SaaS logins, any leftover VPN entry points and old reverse proxies.
• Credential stuffing and password sprays are run slowly enough to look like noise but targeted at exactly the right roles.
• When you block, the attack pivots to new infrastructure and tries different combos of endpoints, patterns and timing.
• Once inside, the same adaptive logic maps internal applications, including Salesforce, and hunts for data or lateral movement.

This is not science fiction. State level actors are already there. Recent reporting shows state sponsored groups jailbreaking commercial AI tools to automate 80 to 90 percent of a complex espionage campaign across dozens of targets [AI automated cyberattack] [AI orchestrated espionage]. Serious organised crime is catching up. The tools are being commoditised in underground markets as malicious AI products like WormGPT and FraudGPT spread [Malicious LLM products] [AI on dark web].

For Salesforce, this means that capability will leak into the wider attacker population, just like every other offensive innovation.

Why the Salesforce ecosystem is a soft target

Salesforce has a few features that make it attractive and, on a bad day, easy to hurt:

• It contains high value data: pipeline, revenue, customers, contracts, IP in attachments, sometimes even payment and banking details when shortcuts have been taken.
• It is deeply connected: finance, billing, marketing automation, data lakes, custom integration hubs.
• Admins and integration users often have god level privileges that have grown over time and never been trimmed back.
• The platform design mixes configuration and execution in ways that blur the line between metadata and business logic.

On that last point, Salesforce is particularly weak because:

• Tools like OmniScripts, Flows and other declarative builders are effectively code. They can read and write data and call external services.
• Lightning Email Templates and similar features can contain links, layouts and logic that influence how and where users authenticate.
• The same persona is often allowed to both deploy these elements and access production data.

If you let one role ship active configuration and also query everything, you have handed that role the crown jewels. When that role is compromised by AI assisted phishing, you are done.

Combine that with the three phases above and the attack playbook is straightforward:

• Use AI enabled recon to map your Salesforce and SSO footprint.
• Run highly targeted phishing or infostealer campaigns at a small set of admins and finance owners.
• Once credentials or a session are obtained, use automated queries to discover objects and exfiltrate what matters.
• When you start blocking, let the toolchain adjust, find a new channel and keep going.

Most Salesforce owners are still arguing about licence mixes and page layouts. They are not designing for an attacker that is already inside the walls.

Act now: how I would respond

You need to shift mindset first. Stop thinking in terms of protecting a castle. Assume someone is already inside your gates. The question is how you stop them walking out with the crown jewels: core data, signing authority, payment controls and identity systems.

If I was responsible for Salesforce and other critical SaaS in your organisation, here is where I would focus hard.

1. Fix identity properly

• Enforce phishing resistant MFA for all privileged accounts [CISA guidance] [Enterprise MFA guide]. Hardware keys or platform authenticators, not SMS or email codes.
• Kill local Salesforce logins for staff where SSO exists. The IdP should be the only path into production.
• Treat identities that can touch Salesforce configuration, IdP policies or payment flows as crown jewel holders and apply stricter rules across the board.

2. Separate duties as if your job depends on it

Deploying code and configuration should be completely ring fenced from accessing live data.

• No single user should be able to both deploy metadata and freely explore production data. That applies to admins, DevOps engineers and contractors.
• A pipeline or deployment tool should own the act of moving OmniScripts, Flows, Apex and configuration into production. Human accounts should not be logging into production to click deploy.
• In Salesforce, be ruthless about this. Features like OmniScripts, Lightning Email Templates, Flows and other declarative tools are code in disguise. Treat them as such. The people who build and ship these should not be the same people who sit with an SOQL console over live customer data.

If an attacker compromises a deployment persona, they should not automatically get read access to everything. If they compromise a support or reporting persona, they should not be able to ship new behaviour into production. That separation is what keeps the crown jewels inside the building when someone is already wandering the halls.

3. Assume phishing will land

• Accept that some phishing and infostealer malware will get through. Stop pretending annual training videos will fix it. Large scale studies are not finding the impact people think they are [Anti-phishing training study].
• Invest in controls that look at behaviour and context: impossible travel, abnormal data access patterns, unusual login sources for critical roles.
• Treat finance, Salesforce owners and IdP admins as critical users. Give them tighter controls, extra alerts, and enforce least privilege ruthlessly.

4. Tame privileged accounts with just in time access

You should not have armies of standing admins in 2025.

• Move to a model where privileged access is requested for a specific function and time window, tied to a ticket or change record. Most modern IdPs and PAM tools support this pattern.
• A user elevates to admin to perform a change, does the work, then loses that access automatically.
• Use this especially for roles that can touch Salesforce configuration, IdP rules and payment or banking systems. These are your crown jewel keys. They should not live in someone’s day to day account.

If an attacker does land inside your organisation, this is the difference between them roaming freely for weeks and them hitting hard limits very quickly.

5. Lock Salesforce like the critical system it is

• Review connected apps, OAuth scopes and remote site settings. Remove dead integrations and cut back over privileged tokens.
• Turn on and actually monitor event logs, login history and high risk actions. Alerts that nobody reads are theatre.
• Move away from messy profile sprawl and towards permission set groups and role based access that somebody can explain in plain English.
• Metadata and Config scan tools exist, such as DigitSec that are designed to protect from mis-configuration and elevated privilidges - use them!
• At an absolute minimum run sf code-analyzer on your code=-base. if it barfs a gazillion failures dont say its too hard if you have to run with --severity-threshold 3 button the critical point is fix them!!

6. Harden the rest of the stack against adaptive recon

• Shut down obvious old doors: legacy VPN entry points, unused IdP endpoints, subdomains that still resolve to nowhere, test environments accidentally reachable from the Internet.
• Put proper rate limiting, anomaly detection and geo checks around identity, Salesforce and other critical SaaS.
• Automate patching and configuration enforcement for any Internet facing service. Manual hardening once a year is not going to cut it.

7. Run the breach scenario end to end

• Sit down with your team and walk through a realistic path: AI assisted recon, AI crafted spear phish, compromised Salesforce admin, data exfil.
• Be brutal about which controls would actually trigger and how long it would take you to notice.
• Fix those gaps first and do not let the conversation get lost in fantasy projects.

8. Rinse and Repeat

• When you believe youre good - phone a friend, get them to review and better still let them attempt an intrusion.
• Add the above list into your regular review - for example as part of your quarterly Salesforce release cycle

Final word

AI is a force multiplier. It is making defenders better and it is making attackers much more dangerous. Right now, most Salesforce customers are underestimating how quickly the offensive side is changing [Threat trends].

Salesforce is no longer just the CRM. For many organisations it is the operational and commercial system of record. If you treat it like a generic SaaS app with a few roles and a basic SSO policy, you are giving an attacker a very nice prize for very little work.

Shift your mindset to assume they are already inside. Protect the crown jewels. Separate duties. Strip back standing admin rights. Use the tools you already own properly.

If you want help pulling this apart inside your environment and putting some teeth into your controls, that is the work I am interested in.

• Back to Blog