Attack Flow Steps:

: Voice phishing (vishing) used as initial access vector to manipulate victims. : Malicious domain used for impersonation. : Malicious domain used for impersonation. : Malicious domain used for impersonation. : Malicious domain used for impersonation. : Email address used by threat actors. : Domain impersonation to appear legitimate during social engineering attacks. : VPN obfuscation methods used to hide attacker infrastructure and location. : Manipulation of Salesforce OAuth-based connected app authorization mechanism for persistent access. : Primary target system containing customer relationship management data. : OAuth abuse to create persistent access through connected app authorization. : API exploitation to access and manipulate data through application programming interfaces. : Large-scale data collection from compromised CRM systems across multiple organizations. : Major corporation successfully compromised in the campaign. : Major corporation successfully compromised in the campaign. : Major corporation successfully compromised in the campaign. : Large-scale data exfiltration from compromised systems across multiple industry sectors. : Delayed extortion model with ransom demands ranging from 4 Bitcoin to 20 Bitcoin

MITRE ATT&CK Techniques:

• T1566
• T1036
• T1090
• T1548
• T1136
• T1071
• T1213
• T1567
• T1486