This analysis focuses on UNC6040, a financially motivated threat group specializing in voice phishing campaigns targeting Salesforce instances. The group employs social engineering tactics to trick employees into granting access or sharing credentials, facilitating large-scale data theft and extortion. Key tactics include manipulating victims to authorize malicious connected apps, often modified versions of Salesforce's Data Loader. The report provides detailed recommendations for proactive hardening, identity verification, and detection strategies to protect against UNC6040's methods. It emphasizes the importance of multi-layered security measures, including strict identity validation, device trust enforcement, and granular data access policies within Salesforce environments.