Salesforce may be where your enterprise data resides, but there’s no guarantee it’s also where your data is safe.
With industry giants such as Google, Workday, Allianz Life, GAP, Chanel, Coca-Cola, IKEA, and others confirming[1] Salesforce-related breaches in 2025, it appears that a phone call or an infected file is enough to penetrate the platform’s environment.
In many cases listed above, file uploads, embedded links, and OAuth-based integrations were entry points for the breaches.
Salesforce attacks have changed.
Rather than forcing their way in, malicious actors are slipping through trusted workflows.
This reveals critical gaps in how these environments are protected and how they should be defended going forward.
The 2025 Salesforce Security Crisis: By the Numbers
Attackers’ interest in Salesforce scales directly with its adoption.
According to 2025 threat intelligence analysis, file uploads and OAuth abuse emerged as the primary attack vectors behind major SaaS breaches, exposing a critical blind spot in cloud security strategies.
Attack Volume Explosion
- 20× increase in Salesforce threat detection ratio in Q1 2025 compared to Q4 2024
- Nearly 1 billion records stolen across coordinated SaaS attacks
- 39+ major organizations compromised, including Google, Coca-Cola, Adidas, Allianz, Air France, KLM, and M&S
These weren’t fringe incidents.
They affected global brands, regulated industries, and organizations with mature security programs.
Confirmed Breach Impact
- Google Ads: 2.55 million prospective customer records exposed
- Coca-Cola Europacific Partners: Over 23 million Salesforce records exfiltrated
- Allianz Life: 1.4 million customers affected
- UK retailers (M&S, Co-op, Harrods): Help-desk manipulation led to ransomware deployment
- Aviation sector (Air France, KLM, Hawaiian, WestJet): Systematic, coordinated targeting
A common thread emerged across all incidents: malicious files and links entered through trusted Salesforce workflows; unchecked and uninspected.
Files as Weapons: How Everyday Documents Became the Attack Vector
Throughout early 2025, multiple security industry analysts revealed a pattern.
Attackers are using seemingly legitimate files to bypass traditional defenses and reach end users inside SaaS platforms like Salesforce.
The script has changed.
Instead of exploiting software vulnerabilities, adversaries focused on trusted document formats delivered through normal business workflows - uploads, shared records, and integrations.
This method is more effective, because security scrutiny is often minimal for file uploads.
Most Abused File Types in SaaS-Based Attacks
Weaponized file uploads abused users’ trust, hiding harmful content in everyday files.[2-5]
Microsoft Word Documents (~68%)
Word files remained the most common delivery method for malicious activity.
Attackers embedded phishing links or external malware download URLs and paired them with convincing social engineering messages such as “please review invoice” or “updated contract attached.”
Once uploaded directly into Salesforce, these files bypassed email security controls altogether.
Image Files and QR Codes (~27%)
As highlighted in Microsoft’s and other industry threat reports, QR-based phishing (“quishing”) gained momentum in 2025.
Malicious QR codes embedded in image files redirected users, mainly on mobile devices, to credential-harvesting pages, exploiting the reduced visibility and inspection of mobile browsing.
PDF Documents (~3%)
PDFs are commonly disguised as invoices, compliance forms, or legal documents.
Some contained embedded JavaScript, while others linked users to external phishing or malware-hosting sites.
Other File Formats (~2%)
Attackers also leveraged:
- HTML files for browser-based phishing pages
- ZIP archives to conceal secondary payloads
- Excel files using formula-based techniques to execute malicious logic
Why This Works
These files didn’t raise alarms because they looked legitimate, moved through legitimate Salesforce workflows, and were trusted by users.
As organizations hardened network perimeters and email gateways, attackers simply shifted to the path of least resistance: trusted files inside trusted platforms.
The Malware Evolution Crisis
As file-based data exchange increases, malware has become more sophisticated and harder to detect, often bypassing traditional, signature-based security tools.
According to OPSWAT research, malware complexity rose by 127% in six months, driven by polymorphic malware that changes on every delivery, fileless attacks that execute directly in memory, time-delayed payloads, anti-sandbox evasion techniques, and encrypted malicious content hidden inside legitimate file structures.
Why Traditional Defenses Failed
- Single antivirus engines detect only 50–70% of threats, meaning 30–50% routinely slip through.
That detection gap explains why:
- 67.72% of malicious Word documents bypassed defenses
- 26.78% of QR-code attacks evaded email and endpoint controls
- Salesforce became an ideal delivery mechanism once attackers avoided email entirely
The Links Hidden Inside Files: Advanced URL Evasion Tactics
In some modern attacks, the injection point moves past the file in itself.
In these cases, real danger is often hidden inside URLs embedded within documents and images.
Security researchers consistently report that attackers focus less on malware delivery and more on redirecting users to malicious destinations, using links that appear legitimate at first glance.
By the time a user clicks, traditional security checks have already been bypassed.
Common URL-Based Attack Techniques Seen in the Wild
Brand Impersonation and Lookalike Domains
Attackers routinely register domains that closely resemble trusted brands, substituting characters, adding extra letters, or abusing subdomains.
Examples include misspelled versions of well-known services, or URLs padded with trusted brand names to mislead users into thinking they’re safe.
Newly Registered Domains (NRDs)
A large share of phishing campaigns rely on domains created just weeks; or even days before an attack. These domains have no established reputation, are used briefly during campaigns, and are often abandoned before they can be flagged by blocklists.
Abuse of URL Shortening Services
Shortened links from widely used services obscure the final destination, preventing users and basic security tools from seeing where the link leads. This technique continues to be popular because it evades simple reputation and keyword-based filtering.
Misuse of Legitimate Platforms and Redirects
Attackers increasingly hide behind trusted infrastructure such as search engine redirects, cloud services, or content delivery platforms. These URLs seem benign, pass initial trust checks, and only later redirect users to phishing or malware-hosting pages.
Unfamiliar or Low-Cost Top-Level Domains (TLDs)
Certain TLDs are disproportionately abused in phishing campaigns due to lower registration costs and looser enforcement. While no TLD is inherently malicious, attackers favor domains that can be spun up quickly and discarded without consequence.
Why It Still Works
Static reputation scoring (checking whether a domain has been seen before or appears on known blocklists) is rendered useless when attackers rotate domains rapidly, abuse trusted services, or delay malicious behavior until after delivery.
Modern URL threats require more than surface-level checks.
Effective defense depends on contextual analysis, behavioral signals, and continuous inspection.
Deep inspection is needed especially inside trusted SaaS platforms where users are more likely to click without hesitation.
Understanding the Full Salesforce Attack Surface
Salesforce offers many ways to upload, share, and exchange files - and attackers took advantage of nearly all of them.
Rather than targeting a single feature, they abused the entire file ingestion ecosystem, blending malicious content into everyday business workflows.
Key File-Based Entry Points in Salesforce
Customer-Facing Channels
External submission paths were frequently targeted because they’re designed to accept files from untrusted users. This includes Email-to-Case and Web-to-Case forms, Service Cloud attachments, and uploads through customer portals.
Internal Collaboration Tools
Attackers leveraged collaboration features such as Chatter posts, shared files, and integrations with messaging platforms like Slack and WhatsApp, as well as content shared within Experience Cloud communities.
APIs, Integrations, and Automation
Automated data flows introduced additional risk. File imports through Data Loader, connected applications, and third-party workflow automation tools allow malicious content to enter Salesforce environments without direct user interaction.
Why Traditional Security Controls Aren’t Enough for Salesforce
Despite heavy investment in cybersecurity, many organizations remain exposed.
Industry research, including the Verizon DBIR, shows that nearly 68% of security incidents involve human error, while most legacy security tools were never designed to protect SaaS platforms like Salesforce.
The core issue is visibility and timing.
Traditional controls focus on email or endpoints, leaving file uploads and stored content inside Salesforce largely uninspected.
- Email security gateways stop at inbox delivery and do not scan files uploaded directly into Salesforce.
- Endpoint antivirus protects devices rather than cloud platforms and typically scans files only after download.
- CASBs (Cloud Access Security Broker) offer limited deep file inspection and frequently miss embedded or encrypted threats.
- Signature-based detection is ineffective against zero-day attacks and polymorphic malware, making it unreliable for modern weaponized documents.
As attackers increasingly use trusted SaaS platforms to deliver malware and malicious links, these gaps leave Salesforce environments vulnerable without dedicated file upload security.
How MetaDefender for Salesforce Secures File Uploads
MetaDefender for Salesforce closes this security gap by inspecting files and links at the moment they enter Salesforce.
Using advanced, cloud-native file security technologies, it applies deep inspection directly at the point of entry; before content is stored, shared, or processed by Salesforce workflows.
By combining multi-layer malware scanning, content analysis, and link inspection, MetaDefender stops malware, phishing links, and hidden threats early.
Conclusion: Salesforce Security Starts With Files
The security data from 2025[6] makes one thing clear: files have become the primary attack vector targeting SaaS platforms like Salesforce. Attackers are increasingly using file uploads and shared content to bypass traditional defenses, while OAuth abuse allows threats to slip past MFA controls entirely.
At the same time, few legacy security tools were designed to protect Salesforce workflows or inspect files at the point of upload.
To effectively reduce risk, prevention must happen before malicious files or links ever reach users or business processes.
MetaDefender for Salesforce enables exactly that.
The real question is no longer if attackers target your Salesforce environment; it’s whether you’ll stop them before they succeed.
FAQ: Salesforce File Upload Security
Why are file uploads a security risk in Salesforce?
Attackers increasingly use file uploads and embedded links to bypass email and perimeter defenses. In 2025, security research showed that trusted Salesforce workflows became a primary entry point for malware and phishing.
Can Salesforce’s native security stop malicious files?
Salesforce secures the platform itself but does not deeply inspect uploaded files or embedded URLs. Without additional controls, threats can enter through attachments, APIs, and integrations.
What files are most commonly abused in Salesforce attacks?
Attackers most often abuse Word documents, image files with QR codes, and PDFs because they appear legitimate and easily bypass traditional security controls.
How does MetaDefender for Salesforce close this gap?
MetaDefender for Salesforce inspects files and links at the moment they enter Salesforce, blocking malware and phishing before content is stored, shared, or used in workflows.
