Executive Summary
In August 2025, a significant supply chain attack targeted the Salesloft Drift AI chatbot integration, compromising OAuth tokens and affecting over 700 organizations, including Cloudflare, Palo Alto Networks, and Zscaler. Attackers exploited these tokens to gain unauthorized access to Salesforce instances, exfiltrating sensitive data such as AWS access keys and passwords. The breach originated from a compromised Salesloft GitHub account, accessed between March and June 2025, allowing attackers to manipulate repositories and establish malicious workflows. This incident underscores the critical vulnerabilities present in third-party integrations and the necessity for stringent security measures in interconnected systems. The attack highlights the growing trend of cybercriminals leveraging trusted platforms to infiltrate organizations, emphasizing the need for enhanced monitoring and control over third-party services.
Why This Matters Now
The Salesloft Drift supply chain attack exemplifies the escalating risks associated with third-party integrations, as cybercriminals increasingly exploit trusted platforms to infiltrate organizations. This incident underscores the urgent need for enhanced monitoring and control over third-party services to mitigate potential vulnerabilities.
Attack Path Analysis
Attackers exploited vulnerabilities in interconnected cloud services to gain initial access, escalated privileges by compromising identity tokens, moved laterally across cloud environments, established command and control channels through legitimate cloud platforms, exfiltrated sensitive data via these channels, and ultimately disrupted operations by leveraging the organization's own infrastructure.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerabilities in interconnected cloud services to gain unauthorized access.
MITRE ATT&CK® Techniques
Supply Chain Compromise
Compromise Software Supply Chain
Compromise Software Dependencies and Development Tools
Compromise Hardware Supply Chain
Valid Accounts
Use Alternate Authentication Material
Application Layer Protocol
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: Identity and Access Management
NIS2 Directive – Supply Chain Security
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply-chain attacks exploiting cloud-native platforms and AI agents create critical vulnerabilities in software development environments requiring zero-trust segmentation and enhanced visibility controls.
Information Technology/IT
Identity-based attacks weaponizing cloud services demand comprehensive east-west traffic security, encrypted communications, and multicloud visibility to prevent lateral movement and data exfiltration.
Financial Services
Industrialized attack factories targeting interconnected cloud platforms threaten financial data integrity, requiring egress security enforcement and threat detection capabilities to maintain regulatory compliance.
Computer/Network Security
Attackers turning defensive infrastructure into attack vectors necessitates cloud firewall deployment, intrusion prevention systems, and anomaly detection to protect security service providers themselves.
Sources
- Attackers are using your network against you, according to Cloudflarehttps://cyberscoop.com/cloudflare-annual-threat-report-2026/Verified
- Cloudflare 2026 Threat Intelligence Report: Nation-State Actors and Cybercriminals Shift from 'Breaking In' to 'Logging In'https://www.cloudflare.com/en-in/press-releases/2026/cloudflare-2026-threat-intelligence-report-nation-state-actors-and/Verified
- Salesloft Drift supply chain attack originated from compromised GitHub accounthttps://www.scworld.com/news/salesloft-drift-supply-chain-attack-originated-from-compromised-github-accountVerified
- Cloudflare warns state-backed hackers are 'weaponizing legitimate enterprise ecosystems' as 'living off the land' attacks surgehttps://www.itpro.com/security/cyber-attacks/cloudflare-warns-state-backed-hackers-are-weaponizing-legitimate-enterprise-ecosystems-as-living-off-the-land-attacks-surgeVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, and move laterally across cloud environments, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in interconnected cloud services would likely be constrained, limiting unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges using compromised identity tokens would likely be constrained, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally across cloud environments would likely be constrained, limiting unauthorized access to interconnected services.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels through legitimate cloud platforms would likely be constrained, reducing the effectiveness of evasion techniques.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data via command and control channels would likely be constrained, limiting data loss.
The attacker's ability to disrupt operations by leveraging the organization's infrastructure would likely be constrained, reducing operational impact.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management (CRM)
- Sales Operations
- Customer Support Services
Estimated downtime: 10 days
Estimated loss: $5,000,000
Customer contact information, support case records, API tokens, and sensitive business data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows.
- • Utilize Multicloud Visibility & Control tools to detect and respond to anomalous activities across cloud environments.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Adopt Threat Detection & Anomaly Response mechanisms to identify and mitigate threats in real-time.
