Disrupting the Kill Chain with WithSecure™ Cloud Protection for Salesforce


Landscape overview

Salesforce Cloud applications like Sales Cloud, Service Cloud or Experience Cloud are now a business-critical service for organizations across a wide range of industries and verticals. Unfortunately, their popularity has attracted the attention of cyber criminals looking to use them as a way to illegitimately gain access to these companies’ data and networks.

Cloud computing has become an increasingly popular means of storing and accessing data remotely. As one of the leading vendors of cloud-based CRM solutions and other valuable business apps, Salesforce has implemented strict security measures to protect its cloud and network infrastructure. In the cloud realm, a shared responsibility model defines the security responsibilities of both cloud providers and consumers. Under this model, the data owner holds the primary responsibility of securing data that flows in and out of their Salesforce environment.

The business benefits of using cloud-based applications like Salesforce are huge and hugely outweigh the additional security risks they introduce. However,it is essential that you are aware of the nature and extent of these risks so you can decide what action you need to take to mitigate them.

If you want to proactively secure your Salesforce Cloud environment, it is important to understand the methods attackers are using and what can be done to combat them. These methods range from phishing and sending malicious urls via email to social engineering and taking advantage of client-facing platforms to directly upload weaponized content to the cloud.

In this whitepaper we'll break down three of the most typical attack scenarios by looking at what cyber security experts call the "Kill Chain". We will also discuss how WithSecureTM can help to disrupt that Kill Chain with the solution designed for Salesforce Cloud.

Threat actors: who wants to steal our data and why?

As more and more businesses have shifted their operations to the cloud, criminals have become aware that large troves of valuable and sensitive data are held in cloud environments. However, different threat actors have very different motivations and levels of sophistication, and it is important to understand who they are and why they might be attacking you.

The pyramid above demonstrates the hierarchy of attackers. If you’re targeted by one of the actors at the top, they’re very likely to succeed, nation states and serious organized crime groups have huge resources to put behind acquiring data that they have identified as strategically important. In general, the larger the organization the higher the likelihood is of them being attacked.

Basic cyber training and antivirus software will likely protect you from most of what comes from the base of the pyramid, so it’s the middle that represents the biggest threat to most small and medium-sized organizations.

Threat actors: who wants to steal our data and why?

The cyber Kill Chain

Using the Kill Chain to assess how an advanced threat actor would approach your organization makes it easier to understand which steps, at a minimum, an attacker would have to take to succeed in an attack against your company. This allows you to build preventative or detective controls to counter them.

The WithSecure™ Kill Chain model is adapted from one originally created by Lockheed-Martin that is widely used and accepted in the industry. We have added some additional steps from our own experience of researching and combatting attacks.

The cyber Kill Chain

The other end of the spectrum

If none of the above applies, then there’s MDR. On-premise IT, the need to fulfill new security requirements as part of an ISO27001 accreditation, false positive rates of over 10% and threats from within and without all lend themselves to an MDR approach, especially one with some serious UEBA (User Entity and Behavior Analytics) chops. The same applies if you’re struggling with hiring or retaining skilled staff: assured response, the need to free up your existing IT security resource or the need to increase the capability of your team are all indicators that MDR might be the right option. The same applies if there’s no institutional threat hunting knowledge or if your security team can’t respond to alerts: MDR, either our own Countercept MDR or a managed EDR service from one of our partners, may well fit the bill. Local partners providing MDR are particularly valuable in situations where your organization has industry-specific requirements or prefers services delivered in languages other than international English. If a 24/7 service is not vital, a partner managed service is also appropriate in some cases. Finally, if you value a continuous feed of security insights and posture improvement recommendations when your organization isn’t under attack, then Countercept MDR is a really good fit; our threat hunters spend a great deal of their time researching threats and thinking like attackers, and passing these insights on to customers is part of their job.

What happens during each phase of the kill chain


This is the phase where a potential attacker looks at your organization and network from the outside, searching for vulnerabilities that they could potentially exploit.

In a Salesforce context this could mean discovering your Community portals, Web-to-case forms or the email address that’s used for email-to-case flow


The last stage of the Kill Chain is reached when the attacker completes at least part of their objectives successfully.

This could encompass a range of things such as stealing data, manipulating a target, making a fraudulent payment or damaging the system depending on the attacker’s motivations

Internal reconnaissance

Once an attacker has access to your system they will carry out another stage of reconnaissance to try to discover more about your organization and network.

In Salesforce this could mean accessing contact details of partners and customers within your CRM or finding out what other systems that are connected to Salesforce


Once an attacker gains access to your network they want to remain inside and undetected. This way they can continue to steal data or achieve their other objectives.

They do this with various methods like sending malicious files or URLs to other users that can be internal or external to the Salesforce Cloud environment.


C2 is the abbreviation security experts use for Command and Control. This is the stage where an attacker uses the compromised system to activate or control malware in the organization’s network.

Lateral movement

Internal reconnaissance enables an attacker to identify other areas of your organization’s network and infrastructure that may hold the data they are looking for.They can then use a variety of techniques to gain access to these areas


Exploitation, often referred to as code execution, is the phase of an attack where malicious code is executed on the target environment.

Exploitation can occur in various ways such as abusing functionality of file formats such as Microsoft Office document, PDF files, and scripts. Attackers can also exploit known or unknown (so-called zero-day) vulnerabilities in popular software

Delivery / weaponization

If the medium of the attack is email, this literally means the delivery of the email to your employee. Attacks could also be carried out via Salesforce Communities, direct file uploads or URLs shared via Salesforce. Weaponization is sometimes listed as an additional step and could take place before or after delivery.

This is where the attacker uses what they found out in the reconnaissance phase to put malicious content into the delivery method.

Traditionally this would be done prior to sending, but a new technique that attackers use is to send a URL which is not yet infected and therefore looks perfectly legitimate to standard security solutions, before adding the payload to it later

External vs internal threats

At WithSecure™ we distinguish between internal and external threats, based on the initial method of infiltration which takes place prior to or simultaneously with the reconnaissance and weaponization phases.

An external threat is typified by an attacker that seeks to “become your customer” or gain trust in a similar way. Imagine a recruitment firm that takes on a new candidate not knowing that this person is really a cybercriminal. The attacker would likely send a real CV initially and exchange non-infected emails to build trust before weaponizing and carrying out an attack later.

An internal threat on the other hand has an attacker that already has access on behalf of the internal user. Maybe they bought it, either directly or online, or maybe they stole it using a phishing attack. Either way they can easily skip to delivery with very specific targeting.

The Kill Chain framework is not a one-size-fits-all solution for all types of cyberattacks. Some attacks may skip certain stages entirely, or use different techniques to achieve their objectives. However, understanding the Kill Chain framework and how different threat actors may approach each stage can help organizations better prepare for and defend against cyberattacks.

External vs internal threats

Salesforce Kill Chain examples

Attacking via Community portal

This is an example of an external Kill Chain, the attacker is acting as a member of your community who would have legitimate access to your Community Portal. 

1. Reconnaissance

The attacker registers and creates a new user account in the community portal. This allows them to collect knowledge about functionality, communication flow and possible weaknesses in the community portal.

2. Weaponization

The attacker creates a weaponized document with a vulnerability exploit. This can be a Word document with malicious macro or PDF document with embedded JavaScript code

3. Delivery

The attacker uploads the weaponized file to the community portal. The file is saved in Salesforce Experience Cloud as a Content Document or Attachment.

4. Exploitation

Failing intervention an internal user opens the file and the weaponized payload is executed within the vulnerable application on their device.

5. C2 / Persistence

The attacker now has access to this user’s device and can proceed to lateral movement, persistence or further internal reconnaissance.

6. Objective

The attacker works to ex-filtrate confidential or sensitive data from the organization.

Attack through a community portal

Exploiting email-to-case

This is another external Kill Chain, where an attacker uses email-to-case to penetrate via Salesforce Service Cloud. They will be posing as a customer or user of your service.

1. Reconnaissance

The attacker finds out the email address used for sending customer support requests.

2. Delivery

The attacker creates a website for a phishing attack and sends the link in an email message to create an email-to-case request for customer support. However, they don’t fully weaponize it in order to elude security scanners and make sure the link passes through. The link is saved in the Salesforce org.

3. Weaponization

The attacker waits a while and then adds the malicious code to the website they have created.

4. Exploitation

Failing intervention an internal user opens the link and the malicious is executed within the vulnerable application on their device.

5. C2 / Persistence

The attacker now has access to this user’s device and can proceed to lateral movement, persistence and further internal reconnaissance.

6. Objective

The attacker works to ex-filtrate confidential or sensitive data from the organization.

Attack through a email-to-case

Supply chain attack

Salesforce supports various ways to integrate with, and extend the capabilities of the Salesforce Lightning platform. Organizations may use solutions that can create, update and read content and these solutions would use native Salesforce APIs that are trusted by default. This Kill Chain shows how an attacker could use a third-party application to breach Salesforce Lightning.

1. Reconnaissance

The attacker discovers an exploit AppExchange app or compromises an external system that your organization is using that has integration with Salesforce Lightning. This could be Salesforce’s Mulesoft, a third-party solution like Dell’s Boomi, or a homemade solution that has access to Salesforce. 

2. Weaponization

The attacker creates a weaponized document with a vulnerability exploit or malicious payload. This can be a Word document with malicious macro, PDF document with embedded JavaScript code or a PowerShell script.

3. Delivery

The attacker pushes the weaponized file through the thirdparty application and into Salesforce Lightning. The file will be trusted by default because it comes from a whitelisted source.

4. Exploitation

Failing intervention an internal user opens the file and the weaponized payload is executed within the vulnerable application on their device.

5. C2 / Persistence

The attacker now has access to this user’s device and can proceed to lateral movement, persistence, further internal reconnaissance or otherwise completing their objectives.

6. Objective

The attacker works to ex-filtrate confidential or sensitive data from the organization.

Supply chain attacks

Product introduction

WithSecure's Cloud Protection for Salesforce effectively combats all the previously mentioned attack scenarios, and more. Our solution actively scans files and URLs every time they are uploaded to, downloaded from or clicked on within Salesforce, providing real-time detection and blocking of malicious content, including malware and phishing links.

Our Cloud Protection solution is particularly effective against advanced attack methods like the email-to-case approach, where attackers use dormant malicious payloads to evade security systems.

Working alongside Salesforce, our Cloud Protection solution is designed to complement their security capabilities, with no overlap between our solution and Salesforce's built-in or add-on security tools. With our click-and-go deployment, you get instant protection without any tedious deployment projects.

Additionally, our solution provides constant visibility into your content security status and offers comprehensive reports and analytics to help you hunt threats. Plus, integrating it into your SIEM is easy.

When it comes to defending against sophisticated cyber attacks, it's crucial to have security measures in place across multiple fronts and layers. This includes systematically addressing vulnerabilities, implementing preventive threat protection on devices and cloud applications, and responding quickly to threats to minimize damages.

Related resources

WithSecure™ Cloud Protection for Salesforce

WithSecure™ Salesforce Cloud Security for Salesforce Community Cloud, Sales Cloud and Service Cloud offers real-time protection from advanced viruses & malware.

Read more

WithSecure™ Cloud Protection for Salesforce

WithSecure™ Cloud Protection for Salesforce is a powerful security solution designed to protect against advanced cyber threats, such as ransomware, zero-day malware, viruses, trojans and phishing links. Developed in collaboration with Salesforce, it complements the platform's native security capabilities, scans URLs every time they're clicked and is ISO 27001 and ISAE 3000 (SOC 2) certified. 

Don't let cybercriminals steal your data and compromise your business. Get in touch with us today to learn more about our advanced cloud security solutions.

Want to talk in more detail?

Complete the form, and we'll be in touch as soon as possible.

We process the personal data you share with us in accordance with our Corporate Business Privacy Policy.