Trailblazer's guide to keeping Scattered Spider out of your Salesforce environment

There's a name that should be on every Salesforce leader's mind: Scattered Spider. They've made headlines with high profile exploits across hospitality, finance, and airlines that have the Trailblazer community on edge for one simple reason: they found a way into even some of the best secured Salesforce environments and exfiltrated (i.e. stole!) data from them.

Spider Evolution

To understand the threat, you have to understand who they are. Scattered Spider doesn’t have a rigid, hierarchical structure. It emerged from "The Community" (The Com), a decentralized network where cybercriminals collaborate on illicit activities. Think of it as a dark LinkedIn, where the networking opportunities are infinitely more dangerous. This fluid model allows them to pivot with the speed of spider reflexes. Also important is that many of the members are native English speakers from the US and the UK. They have proven to be very convincing on a phishing call.

The group's evolution tells a story of calculated escalation:

2022: The Foundation Years Scattered Spider cut their teeth on telecommunications firms through SIM swap operations. This early specialization gave them foundational expertise in identity compromise skills that would prove invaluable later.

2023: The Expansion By early 2023, they pivoted to ransomware deployment and large-scale data theft, broadening their target range across multiple industries. This wasn't just growth; it was strategic evolution toward higher-value targets and more direct financial monetization.

2025: The Salesforce Focus The group re-emerged as a more focused entity, initially targeting retail before expanding into aviation and insurance.

The Double Extortion Strategy

They’ve perfected a "double extortion" strategy. They simultaneously attempt to encrypt your data with ransomware while also exfiltrating it. Then, even if you manage to recover from the ransomware encryption, they threaten to leak the sensitive business data they’ve already stolen. It’s a vicious tactic designed to maximize pressure and ensure they get paid.

The Trojan Horse in the Org: What Actually Happened

Let's be clear about what this attack was and what it wasn't. Google's Threat Intelligence Group confirms that Scattered Spider didn't break Salesforce's core security or protocols. The platform itself remained secure.

Instead, they attacked the human layer. Here’s the breakdown:

1. The Bait: During the initial social engineering operation, attackers deceived employees at targeted companies into accessing the Salesforce connected app setup page.
2. The Lure: Through impersonation of IT support staff, often via phone calls (so-called “vishing”), they tricked end-users into approving the compromised app. This approach is often called “consent phishing” or “consent vishing”.
3. The Wait: In many cases, the malicious app did absolutely nothing at first. It sat dormant for months, a silent, invisible threat hiding in plain sight, waiting for the perfect moment to activate and steal data.

The Salesforce environments were secure and the security posture was tight. But the attackers still found a way in by exploiting the trust between users and the applications they connect to the platform. This incident is a stark reminder that in today’s landscape, every single connected app and integration is its own potential security risk.

The Unseen Threat: Why the Danger Lingers

The most dangerous threats are the ones you don't see. Even if your organization dodged the initial social engineering ploys from Scattered Spider, you are not in the clear.

As a recent Salesforce Ben post on LinkedIn noted, “Many organizations may still harbor dormant threats, with malicious connected apps awaiting activation.”

This is the key lesson: just because nothing bad has happened yet, doesn't mean you are safe. The threat could already be inside your org, installed months ago, quietly waiting. Worse, a perfectly safe app today could be compromised tomorrow - a common occurrence with browser extensions that get sold to new, malicious owners. There’s also all the apps that your team and your end users will be installing in the future. Cataloging, auditing, and continuously vetting your connected apps is no longer a "nice-to-have." It's an absolute necessity for survival.

What’s a Trailblazer to Do? Your Immediate Action Plan

These attacks highlight the urgent need for actions that have often been pushed down the priority list. Here are the minimum table-stakes measures every Admin, Architect, and Platform Owner should take right now.

Promote A Security First Culture

Security is a shared responsibility. It extends from the newest end-user to the platform team to the C-suite. Training and awareness, especially around phishing and social engineering, are critical components of your defense. Scattered Spider especially targets users in customer support and they typically have access to all customer data. These users need to be educated to spot phishing, vishing, consent phishing, and such.

Close The Big Hole is SMS based 2FA

If you use SMS as 2FA (you really shouldn't) you should check with your service provider which kind of SIM swapping protection they provide. AT&T calls theirs "Wireless Account Lock". Turn on SIM swapping protection to reduce your attack surface.

Audit Your Connected Apps

• Catalog Everything: Go to Setup and review every single Connected App. If you don't know what an app does or who installed it, flag it for investigation.
• Review Install Dates: Look for apps installed around the time of known attack campaigns or apps that were installed long ago and may no longer be in use.
• Use the External Client Apps Metadata Type: Use new External Client Apps (ECAs) instead of Legacy Connected Apps. ECAs give you better granularity and control and their tokens expire by default.
• Revoke and Remove (Carefully!) For any app you confirm is unauthorized, unused, or malicious, revoke its token and uninstall it. Proceed with caution to avoid disrupting legitimate business processes.

Leverage Salesforce Shield

Effective monitoring is essential for spotting threats. If you have it, Salesforce Shield's Real-Time Event Monitoring is non-negotiable. Use it and Login Forensics to get critical insights into:

• Authentication anomalies and suspicious login patterns.
• Administrative actions, like MFA changes or new admin assignments.
• Unusual data access or large report exports.

If the budget just isn’t there for Salesforce Shield then you can license Event Monitoring separately, however, you’ll miss out on other valuable Shield capabilities like encrypting data at rest - something you’ll wish you had if your data is ever exfiltrated.

Tighten Access and Permissions

• Apply the Principle of Least Privilege: An app should only have access to the data it absolutely needs to function - no more, no less. Review the permission sets assigned to integration users and strip away anything non-essential.
• Enabler API Control and Use It: While this does require contacting Salesforce support it can be an effective way to reduce your attack surface.
• Establish an Approval Process: No new app should be installed without a formal security review and approval process.

The Real-World Problem of "Permission Fatigue"

While we’re talking about permissions, let's be honest about something. Trailblazers have heard the above advice before and there’s a big catch here, particularly with the advice to tighten permissions. Tightening permissions often creates more work in that it often causes an increase in what was already a constant barrage of user access requests. This is something that always eats up an admin team's valuable time. "User access request fatigue" is real, and it can tempt even the best admins to assign overly broad permissions just to quiet the noise. In a dark way, it's analogous to the "MFA fatigue" that Scattered Spider exploits in their social engineering attacks - they wear you down until security slips.

Real Security Requires Real Observability

The steps above are your new baseline. But in 2025, it's not enough. Sophisticated attackers like Scattered Spider are designed to mimic legitimate activity and hide their tracks. Simply collecting logs is insufficient.

Platform owners and admins need to achieve true "observability"—the ability to infer the internal state of your Salesforce environments by analyzing its external outputs like logs, events, and API calls.

This means:

• Collecting comprehensive logs across all Salesforce features and integrated systems;
• Actively analyzing that data for subtle anomalies;
• Correlating events across integrated systems;
• Setting up automated alerts for any behavior that deviates from the norm.

All of this represents a tremendous amount of work - work that most organizations don't have the resources to handle manually. And that’s precisely why Valo was created.

The Valo Approach: Trade Manual Toil for Automated Intelligence

Valo was co-founded by Jari Salomaa, the Trailblazer who previously led the Salesforce Shield team. Having seen firsthand the power of automated security tools and recognizing that even Shield leaves significant work to be done, Jari created Valo to be the best friend of overworked Salesforce admins, architects, and platform owners.

A robust security posture is a must, but it isn't sufficient. You need tools that monitor actual activity, not just configurations. This is where Valo AI transforms your security.

Automated Security Scoring of Every Connected App and Integration.

Were you mentally pained when reading above and thinking of manually vetting every app? Valo AI automates it. It continuously discovers every integration and connected app in your environment, analyzing dozens of factors to generate a simple, dynamic, up-to-date security score. It turns weeks of manual vendor assessment into an instant, data-driven score on every app and every integration that is always up to date.

The Scoring Methodology

Valo's security scoring combines dozens of factors into a single, actionable metric:

• Vendor Security Posture: SOC 2 certifications, privacy policies, terms of use
• Permission Analysis: Whether apps follow the principle of least privilege
• Activity Monitoring: What the app actually does versus what it claims to do
• Compliance Alignment: How well the app aligns with regulatory requirements
• Community Trust: User reviews and third-party assessments
• Ongoing Security Practices: Bug bounty programs and security update frequency

This comprehensive approach provides the observability needed to identify threats like Scattered Spider's patient, dormant attacks.

Beyond Posture and into Activity

This is where Valo goes deeper. We don't just score the app's configuration; Valo AI can see what each app is actually doing. Is that e-signature tool only accessing the Contracts it needs, or is it also scanning your Lead and Opportunity objects? Valo eliminates the "black box" blind spot.

AI Powered Permission Tightening

Rather than forcing admins to choose between security and user productivity, Valo AI provides intelligent suggestions for tightening permissions without breaking existing workflows. Our AI analyzes user activity and suggests where you can safely tighten permissions without breaking critical end-user workflows, allowing you to enforce the principle of least privilege without the administrative headache.It's like having a security expert who understands your business processes.

Secure Intelligent Access Request Management

Valo AI can even help manage the onslaught of user access requests, handling them automatically and securely. There’s no need to fear user access request fatigue when tightening permissions.

Avoid Being Tangled In Spider Webs

The Scattered Spider threat demonstrates that traditional security approaches—even good ones—aren't enough anymore. The attackers have evolved, and our defensive strategies must evolve too.

The combination of user education, robust access controls, comprehensive monitoring, and intelligent automation creates a defense-in-depth strategy that can adapt to emerging threats. It's not about replacing human judgment with technology; it's about augmenting human expertise with tools that can process vast amounts of data and identify patterns that would be impossible to spot manually.

Don't wait for the next attack to hit the headlines. Start with the basics: audit your connected apps, tighten permissions, and implement comprehensive monitoring. But don't stop there.

Consider how automated security scoring and AI-powered analysis can transform your security from reactive to proactive. The threat landscape is evolving rapidly, and manual processes simply can't keep pace.

Next week, we'll dive deeper into how Valo AI performs automatic, continuous security scoring of connected apps and integrations. We'll show you exactly how the technology works and share real-world examples of threats it has identified.

Take Action Today

Ready to see how your environment scores? Valo offers a 30-day free trial available on the AppExchange. In minutes, you can discover which of your connected apps might be hiding dormant threats.

Because when it comes to threats like Scattered Spider, the question isn't whether you'll be targeted—it's whether you'll be ready.

• 

  Josh Aberant