Salesforce Attack Exposes the Zero Trust Implementation Gap

The recent UNC6395 attack that compromised over 700 Salesforce organizations through hijacked OAuth tokens reveals a uncomfortable truth: most organizations that claim to have “implemented Zero Trust” are operating with dangerous security gaps. Despite widespread adoption of Zero Trust principles, the attackers exploited exactly what Zero Trust is designed to prevent—implicit trust relationships that bypass continuous verification.

Between August 8-18, 2025, UNC6395 systematically extracted sensitive data from hundreds of organizations by abusing OAuth tokens from the Salesloft Drift integration. The attack succeeded because these organizations failed to apply Zero Trust principles to one of their most critical attack surfaces: non-human identities and third-party integrations.

The Zero Trust Implementation Problem

Zero Trust architecture is built on a simple principle: “never trust, always verify.” Every user, device, and application should be authenticated and authorized continuously, regardless of their location or previous access. Yet the UNC6395 attack demonstrates how organizations struggle to operationalize these principles across their entire digital ecosystem.

What Zero Trust Should Have Prevented

The UNC6395 attack exploited several failures in Zero Trust implementation:

Implicit Trust for Applications: Once OAuth tokens were authenticated, the Salesloft Drift integration was implicitly trusted to access Salesforce data without continuous verification of its behavior or intent.

Lack of Continuous Verification: The attackers operated for 10 days using legitimate tokens, making bulk data queries that should have triggered additional verification steps under true Zero Trust principles.

Missing Context-Aware Access: Zero Trust requires access decisions based on multiple factors including behavior, location, and risk. The attack used automated Python scripts to extract data in patterns that differed significantly from normal application usage.

Inadequate Privilege Verification: OAuth tokens had persistent, high-level access without dynamic privilege adjustment based on actual usage patterns or risk assessment.

Why Traditional Zero Trust Deployments Often Fall Short

Most organizations approach Zero Trust as a series of point solutions—implementing multifactor authentication, deploying endpoint security, or adding network segmentation. While these components are necessary, they don’t create the continuous, adaptive verification that true Zero Trust requires.

The UNC6395 attack succeeded because it exploited gaps between these point solutions:

• Network Zero Trust couldn’t see application-to-application communication
• Identity Zero Trust focused on human users, not non-human identities like OAuth tokens
• Device Zero Trust didn’t extend to third-party application behaviors
• Data Zero Trust wasn’t applied to bulk export activities by trusted applications

The Non-Human Identity Blind Spot

OAuth tokens represent a massive category of non-human identities (NHIs) that most Zero Trust implementations fail to address. Unlike human users who can be challenged with additional authentication factors, NHIs operate continuously with persistent access, making them attractive targets for attackers.

The UNC6395 attack demonstrates how NHI security failures undermine Zero Trust:

Persistent Access Without Verification: OAuth tokens don’t expire like user sessions, creating long-lived access that bypasses continuous verification requirements.

Behavioral Anomaly Detection Gaps: Organizations lack baseline behavioral models for NHIs, making it difficult to detect when automated tools are being used maliciously.

Cross-Domain Privilege Mapping: Traditional identity management systems don’t provide visibility into how NHI access chains across multiple systems, missing the lateral movement paths that UNC6395 exploited.

Limited Contextual Controls: Zero Trust requires adaptive access based on context, but most NHI management lacks the contextual awareness needed for dynamic privilege adjustment.

Zero Trust Posture Management: The Missing Component

The UNC6395 attack highlights why organizations need Zero Trust Posture Management (ZTPM)—continuous assessment and enforcement of Zero Trust principles across all five pillars: identities, devices, data, applications, and networks.

Traditional Zero Trust implementations focus on deployment but ignore ongoing posture management. ZTPM addresses this gap by:

Continuous Zero Trust Assessment

Rather than assuming Zero Trust controls remain effective after deployment, ZTPM continuously evaluates Zero Trust maturity across all environments:

• Identity Pillar: Monitoring authentication patterns, privilege usage, and access anomalies for both human and non-human identities
• Device Pillar: Assessing device compliance, trust levels, and behavioral patterns
• Data Pillar: Tracking data access, classification, and protection across all systems
• Application Pillar: Evaluating application trust levels, integration security, and communication patterns
• Network Pillar: Monitoring network segmentation, traffic patterns, and access controls
• Cloud Pillar: Assessing cloud security posture, configuration drift, and multi-cloud access patterns

Adaptive Policy Enforcement

ZTPM enables dynamic policy adjustment based on real-time risk assessment and behavioral analysis:

• Context-Aware Access: Adjusting access privileges based on user behavior, location, time, and risk indicators
• Threat-Informed Controls: Updating Zero Trust policies based on current attack patterns and threat intelligence
• Automated Response: Triggering additional verification or access restrictions when anomalous behavior is detected

Cross-Pillar Correlation

The UNC6395 attack spanned multiple Zero Trust pillars—identity (OAuth tokens), applications (Salesloft integration), and data (Salesforce records). ZTPM provides the cross-pillar correlation needed to detect these complex attack patterns.

How Mesh Security’s ZTPM Would Have Prevented UNC6395

Mesh Security’s Zero Trust Posture Management solution provides the continuous, adaptive Zero Trust enforcement that would have detected and prevented the UNC6395 attack.

Identity Fabric for Complete NHI Visibility

Mesh’s Identity Fabric discovers and monitors all identities across the enterprise, including OAuth tokens and service accounts that traditional identity systems miss:

• Comprehensive NHI Discovery: Automatic mapping of all OAuth relationships, API keys, and service accounts across SaaS, cloud, and on-premises systems
• Behavioral Baselining: Establishing normal activity patterns for NHIs to detect anomalous behavior like bulk data extraction
• Continuous Verification: Dynamic trust assessment for NHIs based on behavior, context, and risk indicators

Cross-Domain Zero Trust Enforcement

Mesh’s unified platform enforces Zero Trust principles across all five pillars simultaneously:

• Application Trust Assessment: Continuous evaluation of third-party application behavior and integration security
• Data Access Monitoring: Real-time tracking of data access patterns and bulk export activities
• Network Context Integration: Correlating network traffic with identity and application behaviors

Adaptive Response and Remediation

When Zero Trust violations are detected, Mesh enables immediate adaptive response:

• Dynamic Privilege Adjustment: Automatically reducing access privileges when suspicious behavior is detected
• Additional Verification Requirements: Triggering step-up authentication or manual approval for high-risk activities
• Automated Containment: Isolating compromised identities or applications while maintaining business continuity

Unified Security Operations

Mesh unifies prevention/posture management with detection, investigation, and response, ensuring that Zero Trust isn’t just a policy framework but an adaptive reality:

Prevent What You Can: Continuously harden Zero Trust posture by identifying and remediating policy gaps and misconfigurations

Detect What You Must: Real-time detection of Zero Trust violations across all pillars, including subtle attacks that exploit trusted relationships

Respond to What Gets Through: Automated response workflows that maintain Zero Trust principles during incident response

Adapt in Real Time: Mesh unifies threat intelligence data from disparate sources, allowing the system to adapt with the evolving landscape, prioritizing alerts that put organizations at risk for the latest, active attacks.

The Business Impact of True Zero Trust

The UNC6395 attack demonstrates the business consequences of incomplete Zero Trust implementation. Organizations thought they were protected by their Zero Trust initiatives, but implicit trust relationships created exploitable vulnerabilities.

True Zero Trust Posture Management (ZTPM) delivers measurable business outcomes:

• Reduced Attack Surface: Continuous elimination of implicit trust relationships and excessive privileges
• Faster Threat Detection: Cross-pillar correlation enables detection of sophisticated attacks that bypass individual controls
• Compliance Validation: Continuous assessment and documentation of Zero Trust maturity for regulatory and board reporting
• Operational Efficiency: Automated policy enforcement and adaptive controls reduce manual security overhead

Protect Your Organization with ZTPM, From Mesh

The UNC6395 attack won’t be the last to exploit gaps in Zero Trust implementation. Organizations need comprehensive Zero Trust Posture Management that continuously enforces “never trust, always verify” across all identities, devices, data, applications, infrastructure, and networks.

Mesh Security’s ZTPM platform provides the unified visibility, continuous assessment, and adaptive enforcement needed to operationalize Zero Trust principles at enterprise scale—protecting against both current threats and emerging attack patterns.

Ready to close your Zero Trust implementation gaps? Schedule a demo to see how Mesh Security’s Zero Trust Posture Management can protect your organization from sophisticated attacks like UNC6395.