Nothing Like AugurHow It WorksGet AccessLearn More

Augur Identified 16 Malicious IPs Before Salesforce Attacks

Threat Research Team
Download PDF

The FBI recently issued FLASH-20250912-001 detailing active campaigns by advanced threat groups UNC6040 and UNC6395 targeting Salesforce environments through social engineering, OAuth/connected-app abuse, and stolen tokens.

Augur’s Preemptive Discovery

The FBI’s published list of IOCs contains 16 IP addresses that Augur identified a minimum of 7 months before they were weaponized:

185[.]220[.]101[.]133

185[.]220[.]101[.]143

185[.]220[.]101[.]164

185[.]220[.]101[.]167

185[.]220[.]101[.]169

185[.]220[.]101[.]180

185[.]220[.]101[.]185

185[.]220[.]101[.]33

192[.]42[.]116[.]179

192[.]42[.]116[.]20

194[.]15[.]36[.]117

45[.]83[.]220[.]206

79[.]127[.]217[.]44

94[.]156[.]167[.]237

141[.]98[.]252[.]189

163[.]5[.]149[.]152

Augur detected and flagged these IPs as malicious infrastructure, enabling our clients to block and monitor this activity well before threat actors could act. Our early intelligence meant every Augur-protected organization was already defended when the FBI alert went public.

Why This Breach Matters

  • High-value targets: Salesforce systems store sensitive customer and financial data, making them prime objectives for sophisticated attackers

  • Stealth techniques: Abuse of OAuth and connected apps allows intruders to blend in with legitimate activity, bypassing many conventional defenses

  • Potential for extortion: Once inside, adversaries can exfiltrate data and launch extortion attempts, escalating risk dramatically

Proven Preemptive Protection

This incident underscores why Augur is the only preemptive cybersecurity platform capable of identifying malicious infrastructure as it is acquired (MITRE ATT&CK T1583) by APT groups, on average, 60 days before first attacks. Our detection of these 16 IPs ahead of the FBI FLASH proves that true preemptive prevention is not only possible, it’s a reality that your organization can put to work strengthening your security posture.

 

Next Steps for Security Teams

  1. Block the identified IPs across firewalls and security controls
  2. Audit Salesforce and other SaaS environments for suspicious connected apps and OAuth activity
  3. Strengthen social-engineering defenses for call center and support staff.
  4. Integrate Augur into your security stack to provide a first line of defence against novel threats

Can Augur Make A Difference? Let us Prove it To You

Experience firsthand the benefits of preemptive cyber defense with a quick proof of value (POV).

We'll integrate Augur into your SIEM for 30 days. At the end, you'll receive a clear report detailing the threats Augur identified and how much earlier you would have been protected. We'll also provide data-driven estimates on alert reduction and the resulting impact on your SOC's time and efficiency.

Ready to see the difference? Just drop us an email, and we’ll set up a free, no-obligation assessment.

Augur Security
4660 La Jolla Village Dr. # 100 San Diego, CA 92122 USA
(888) 521-5857
Terms & ConditionsPrivacy Policy
© COPYRIGHT 2025 AUGUR SECURITY