The Salesforce Vishing Wave: Workday's Breach and the Cost of Blind Trust

John Marzella
Identity Verification Security Vishing Impersonation Social Engineering Salesforce Workday Challenge
The Salesforce Vishing Wave: Workday's Breach and the Cost of Blind Trust

The Salesforce Vishing Wave: Workday’s Breach and the Cost of Blind Trust

In August 2025, Workday - the HR and finance SaaS giant - joined a growing list of enterprises hit by a wave of social-engineering attacks targeting Salesforce CRM instances. Attackers never exploited a zero-day, broke into a data centre, or bypassed SSO. They did something much simpler: they impersonated Workday’s own HR and IT staff over SMS and phone calls, and persuaded employees to open the door for them.

They didn’t hack the system. They hacked the people around it.

What Happened

Around early August 2025, Workday disclosed that threat actors had accessed a third-party CRM platform (widely reported as Salesforce) and exported contact details for customers and prospects. The stolen data included business contact information such as names, email addresses and phone numbers.

The way attackers got in is a case study in modern impersonation:

  1. Initial outreach - Employees received convincing text messages and voice calls from individuals claiming to be Workday HR or IT.
  2. Building trust - The callers referenced internal-sounding processes and support issues, making the pretext feel like a legitimate account or app access review.
  3. The ask - The “HR/IT” contacts guided staff to approve or grant access to connected apps (OAuth) in the CRM, or to share account information and codes that let attackers authorize their own access.
  4. Data exfiltration - Once the malicious apps were authorized, the attackers exported business contact records at scale.

Workday stressed that customer HR, payroll or core tenant data was not impacted. On paper, it was “only” business contact information. In reality, that’s exactly the kind of data social-engineering crews need to stage the next wave of impersonation and fraud.

This campaign resembled (and likely overlapped with) similar operations where attackers impersonated internal IT staff at other large companies to trick employees into authorizing malicious Salesforce connected apps and tools like data loaders.

Tactics: Impersonation + Trusted Tools

The Workday incident illustrates how impersonation attacks have evolved:

  • Authority impersonation - Attackers pretended to be internal HR and IT - not random vendors. Employees are conditioned to cooperate with these teams.
  • Multi-channel contact - The campaign used SMS, voice calls and potentially follow-up email, mirroring the way real internal processes often play out.
  • Abuse of “normal” flows - There was no malware, no obvious phishing link. Instead, a “support” caller asking you to approve what looks like a legitimate Salesforce app or read out a code from a very real login page.
  • Low-sensitivity data, high-leverage impact - Contact details may sound harmless, but they’re perfect ammunition for future spear-phishing and deep impersonation campaigns.

Where Controls Broke Down

Several implicit assumptions failed at once:

  • “If it looks like HR/IT, it must be HR/IT.”
    There was no cryptographic or independent verification of the person on the phone.

  • “If Salesforce shows a prompt, it must be okay.”
    The platform UX was trusted more than internal policy.

  • “Business contact data is low risk.”
    The organisation underestimated how much damage well-structured contact data can do in the hands of attackers.

At no point were employees forced to independently verify the human making the request before granting high-impact access.

How Veraproof Challenge Would Have Broken the Chain

Veraproof Challenge is designed for exactly this failure mode: employees acting on instructions from someone who sounds internal, but isn’t.

Here’s what would change if Workday-style organisations put Veraproof Challenge in front of high-risk actions:

1. High-Risk Actions Require a Challenge

Define policies so that the following always require a Veraproof Challenge:

  • Approving new Salesforce connected apps
  • Granting admin privileges in CRM or analytics tools
  • Enabling bulk export or data loader access
  • Changing integrations that can access customer data

Before any helpdesk agent or end-user can complete those steps, they must trigger a Veraproof Challenge addressed to the person requesting the change (e.g. the “HR owner” or “CRM admin”).

2. Out-of-Band Identity Verification via Your IdP

Veraproof Challenge uses your existing identity provider (Okta, Azure AD, Google Workspace, etc.) to verify the requester.

  • The claimed requester must complete a full SSO flow, which can include phishing-resistant MFA and device trust (based on your Idp authentication policies).
  • They explicitly approve or reject the requested action based on the challenge outcome.
  • The approval is cryptographically tied to their corporate identity.

If the “HR caller” is actually an attacker, they simply cannot complete the challenge because they don’t control the real employee’s identity.

3. Policy-Driven Guardrails

Security and IT teams can implement rules like:

  • “Any new Salesforce connected app must be challenged and approved by a verified CRM admin and their manager.”
  • “Any configuration change that enables mass export requires a dual Challenge from the requester and the data owner.”

The challenges can be baked into ticketing system workflows and employees don’t have to guess whether something is risky—the policy enforces it.

4. Forcing a Pause in the Social-Engineering Script

Impersonation thrives on urgency and momentum.

A mandatory challenge step introduces friction:

  • The employee must step away from the phone and use a trusted channel (SSO, Slack/Teams or your internal ticketing portal) to verify their identity.
  • If an attacker tries to rush them (“just do it now, I’m on a major incident bridge”), that urgency becomes a clear red flag.

Veraproof Challenge turns “sounds like HR” into “cryptographically proved they’re HR”. No more blindly trusting random calls and messages.

Takeaways for Security and IT Leaders

  • Treat CRM access and connected apps as crown jewels.
  • Assume HR, IT and finance identities will be impersonated over phone, SMS, Slack and beyond.
  • Bake a human identity challenge into any workflow where a single employee can enable large-scale access or data export.

If your people are your perimeter, Veraproof Challenge is the access gate they need.