There’s a comfortable myth doing the rounds in boardrooms and stand-ups: our people are too tech-savvy to be phished. Recent events say otherwise, suggesting that complacency is the new vulnerability.
In the past few weeks, multiple outlets reported that staff at one of the world’s most sophisticated technology companies were talked into authorising access to a Salesforce environment after a wave of voice-phishing calls. Google’s own threat team then published a technical analysis of phone-based social engineering leading to data theft and extortion, the same pattern later acknowledged to have hit one of its Salesforce instances. The lesson isn’t that anyone was careless; it’s that well-run companies are still made up of humans, and humans can be convinced.
This campaign didn’t rely on malware. It leaned on confidence, cadence and context. Operators posed as support staff, built rapport over multiple calls, and pushed targets toward authorising a connected app or similar access that looked routine. Once inside, they focused on CRM data, contact information, notes and other commercially sensitive details, then moved to extortion. Google’s analysts estimate around 20 organisations were swept up in the broader activity.
And it isn’t an isolated story. Reporting links the same playbook to other brands across sectors, from global tech and airlines to retailers and luxury goods (think Qantas, Chanel, Pandora, Allianz, and now Google), reminding us that cloud systems and their users are now the soft underbelly of many businesses. Separate coverage notes similar breaches of Salesforce data at other firms, and consumer-facing brands have disclosed third-party CRM compromises in recent days.
Why smart people still get fooled
1) The channel has changed.
Email remains the number-one entry point, but phone-first phishing (vishing) removes visual cues we’ve trained for in inboxes. A calm voice, a case number, and a believable “need” is often enough to edge someone over a prompt.
2) The ask looks normal.
No executable. No sketchy link. Just a request to approve a login, install a “helper,” or permit a connected app. All of those actions are completely legitimate in the right context, which is exactly why they work in the wrong one.
3) The target is the workflow, not the firewall.
Attackers ride the same SaaS and identity rails we use every day. The control plane is human, and the blast radius is the data your clients run their businesses on.
What this means for MSPs and resellers
Partners sit closest to the day-to-day realities of customers’ cloud estates. You see the configuration drift, the ad-hoc approvals, the “just for this quarter” exceptions. Here’s how to turn that visibility into resilience.
1) Reframe awareness: from “don’t click” to “don’t approve”
Add vishing and app-approval drills to your training cadence. Teach frontline staff to treat unsolicited phone requests that end in MFA approvals, OAuth grants, or Data Loader usage as red-flag events. Provide a one-page call-back script and require independent number look-ups before any change is approved.
2) Harden SaaS by default, especially CRM
- Lock down connected apps in Salesforce (block by default; allow by business case).
- Enforce phishing-resistant MFA (security keys/WebAuthn) and conditional access.
- Disable or constrain bulk export tools; monitor for unusual Data Loader activity.
- Alert on new OAuth grants, token scopes, and anomalous API reads/writes.
3) Double down on email defences, because the first touch is still the inbox
Even when the final trick happens on the phone, it usually starts with an email: a calendar invite, a ticket receipt, a fake escalation. MailGuard’s AI/ML engine is built to catch those first-encounter messages that evade native controls in Microsoft 365, giving your clients a faster, independent layer to prevent the social engineering journey from ever beginning.
4) Instrument what matters
- Playbooks: Create three simple runbooks, for Suspicious call, Unexpected approval, CRM anomaly.
- Signals: Track new domain approvals, first-time admin actions, spikes in record exports.
- People: Nominate a human circuit breaker (someone who can say “stop” when instincts tingle).
5) Sell security like uptime
Frame these controls as operational risk reduction, not just cyber hygiene. Less data walking out the door means fewer disclosure costs, fewer customer notifications, and less reputational drag the next time supply-chain headlines flare.
Here are some talking points for your next customer meeting
- “Assume a phone call will be the second stage of the next email attack.”
- “Approvals are credentials. Treat OAuth grants and MFA pushes like passwords.”
- “CRM is crown-jewel adjacent. The data may be ‘just contacts,’ but it maps your pipeline, spend and relationships.”
- “Layers beat luck. Add a dedicated, real-time email security layer to Microsoft 365 to stop first-encounter threats before they become phone calls.”
The MailGuard view
At MailGuard, we’ve invested two decades, and over $35m, building an AI & ML-powered engine to block real-world email threats hours (and sometimes months) faster than default layers. For partners, that means a repeatable, high-value control you can deploy quickly across your base, backed by human threat ops who surface campaigns like the one above before they hit the morning stand-up.
Some useful reading for your team
- Google Threat Intelligence on voice phishing and data extortion targeting Salesforce: https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
- Industry coverage of Salesforce-focused vishing incidents: https://securityaffairs.com/181017/data-breach/google-confirms-salesforce-crm-breach-faces-extortion-threat.html
- Analysis of the Google-Salesforce breach and broader implications: https://www.cxtoday.com/crm/the-google-salesforce-customer-data-breach-what-really-happened/
Where partners make the difference
Your edge is proximity: you own the relationship and the stack. Use that to close the human-machine gap with practical controls, disciplined defaults, and fast feedback loops. We’ll keep intercepting what we see across the MailGuard network; together we can lower the cognitive load on busy teams so the right decision is also the easy one.
Keeping Businesses Safe and Secure
Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist AI-powered email threat detection solution like MailGuard.
For a few dollars per staff member per month, businesses are protected by MailGuard's specialist, zero zero-day email security. Special Ops for when speed matters! Our real-time zero zero-day, email threat detection amplifies your client’s intelligence, knowledge, security and defence.
MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your clients today to ensure they’re prepared and get in touch with our team to discuss fortifying your client’s cyber resilience.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
