As AI and digital technologies advance, the European cyber threat landscape continues to evolve, presenting new challenges that require stronger partnerships and enhanced solutions. Ransomware groups and state-sponsored actors from Russia, China, Iran, and North Korea continue to grow in scope and sophistication, and European cyber protection cannot afford to stand still.
That is why, today, in Berlin, we are announcing a new Microsoft initiative to expand our longstanding work to help defend Europe’s cybersecurity. Implementing one of the five European Digital Commitments I shared in Brussels five weeks ago, we are launching a new European Security Program that adds to the company’s longstanding global Government Security Program.
This new program expands the geographic reach of our existing work and adds new elements that will become critical to Europe’s protection. It puts AI at the center of our work as a tool to protect traditional cybersecurity needs and strengthens our protection of digital and AI infrastructure.
We are launching the European Security Program with three new elements:
UNC6040 uses vishing to impersonate IT support, deceiving victims into granting access to their Salesforce instances.
Google Threat Intelligence Group (GTIG) is tracking UNC6040, a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns specifically designed to compromise organizations' Salesforce instances for large-scale data theft and subsequent extortion. Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements. This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization’s Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.
A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal. This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce. During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments. This methodology of abusing Data Loader functionalities via malicious connected apps is consistent with recent observations detailed by Salesforce in their guidance on protecting Salesforce environments from such threats.
In some instances, extortion activities haven't been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data. During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims.
Hackers leak data of 88 million AT&T customers with decrypted SSNs; latest breach raises questions about links to earlier Snowflake-related attack.
Hackers have leaked what they claim is AT&T’s database which was reportedly stolen by the ShinyHunters group in April 2024 after they exploited major security flaws in the Snowflake cloud data platform. But is this really the Snowflake-linked data? We took a closer look.
As seen by the Hackread.com research team, the data was first posted on a well-known Russian cybercrime forum on May 15, 2025. It was re-uploaded on the same forum on June 3, 2025, after which it began circulating among other hackers and forums.
After analyzing the leaked data, we found it contains a detailed set of personal information. Each of these data points poses a serious privacy risk on its own, but together, they create full identity profiles that could be exploited for fraud or identity theft. The data includes:
Full names
Date of birth
Phone numbers
Email addresses
Physical addresses
44 Million Social Security Numbers (SSN) (43,989,219 in total)
