ClickFix, OAuth Exploits, and AI Phishing: A Salesforce Security Briefing for U.S. Federal Teams

If you’re responsible for securing a federal Salesforce environment, the threat landscape shifted faster in 2025 than any single team could track. The U.S. federal civilian workforce shrank by 10.8%, a net loss of more than 249,000 employees across government. CISA, the nation’s lead cybersecurity agency, lost roughly a third of its staff, dropping from approximately 3,700 employees to between 2,200 and 2,600. Federal cybersecurity teams didn’t just lose colleagues. They lost institutional knowledge, coverage, and the bandwidth to investigate security gaps that hadn’t been priorities before the cuts.

You already know what that means for your team. More Experience Cloud portals, more Email-to-Case workflows, more integrations, fewer people. On February 14, 2026, CISA ordered federal agencies to patch a critical BeyondTrust vulnerability within three days after attackers began actively exploiting it. Days earlier, Microsoft disclosed a new evolution of the ClickFix social engineering technique that tricks users into executing malicious commands through DNS lookups, bypassing traditional security tools entirely.

How AI Is Changing the Federal Threat Landscape

The threat landscape facing federal agencies in 2026 has fundamentally changed. According to FedTech Magazine, security experts identify three converging threats targeting government: OAuth token exploitation (where attackers “log in” rather than “break in”), shadow AI creating unmonitored data exposure, and AI-powered automated vulnerability discovery that finds security gaps faster than teams can patch them.

The Microsoft Digital Defense Report 2025 puts hard numbers on how much worse it’s gotten. AI-generated phishing emails now achieve a 54% click-through rate compared to 12% for traditional phishing, making them 4.5 times more effective. AI-enabled mobile attacks, including targeted smishing campaigns and deepfakes, are now among the most likely cyberattack vectors to succeed, with mobile incidents up more than 80% year over year. And adversaries have begun deploying autonomous malware that adapts in real time to bypass the very security controls designed to stop it.

ClickFix attacks surged 517% in the first half of 2025 and have been adopted by nation-state groups from North Korea, Iran, and Russia. The technique tricks users into executing malicious commands on their own machines by disguising them as routine fixes or CAPTCHA verifications. Because the user initiates the execution, traditional endpoint security tools treat the activity as legitimate. Microsoft’s latest disclosure shows ClickFix now uses DNS infrastructure to stage payloads, blending malicious traffic into normal network activity that many security tools can’t distinguish.

Meanwhile, the criminal marketplace fueling these attacks has scaled dramatically. Initial access brokers, criminal groups that specialize in breaching networks and selling that access to ransomware operators, have seen access-for-sale in government and healthcare sectors rise up to 900%. Attackers no longer need to find their own way in. They can buy pre-compromised credentials to federal systems on dark web marketplaces and hand them off to ransomware groups ready to deploy. Global ransomware attacks surged 126% in Q1 2025 alone.

Nation-State Campaigns Are Hitting Federal Systems Directly

The U.S. Intelligence Community assesses that the People’s Republic of China is “the most active and persistent cyber threat” to U.S. institutions. The government sector was the second most attacked sector globally in Q1 2025, averaging 2,678 attacks per organization per week, a 51% increase year over year. The Microsoft Digital Defense Report 2025 ranked government tied with information technology as the most impacted sector. According to Check Point’s “Threats to the Homeland” report, when geopolitical tensions spike, cyber incidents against U.S. government systems increase by 35 to 45% within months.

The campaigns targeting federal systems are not theoretical. In December 2025, Salt Typhoon breached email systems used by U.S. House committee staffers on the foreign affairs, intelligence, armed services, and China committees. Earlier in 2025, a DHS report revealed Salt Typhoon had compromised an Army National Guard network. In August, the FBI called Salt Typhoon’s campaign “one of the most consequential cyber espionage breaches” in the United States, with infiltrations across more than 200 targets in over 80 countries. That same month, CISA, the NSA, the FBI, and cybersecurity agencies from 12 allied nations issued a joint advisory warning that PRC-backed threat actors are expanding beyond telecommunications into government, transportation, and military infrastructure.

Volt Typhoon embedded itself inside U.S. critical infrastructure including power grids, water systems, and federal networks for five or more years, not to steal data, but to position for disruption during a future geopolitical crisis. These groups gain long-term access, lay dormant, and wait.

For federal Salesforce teams, this context matters. The same nation-state actors targeting telecommunications networks and congressional email systems are also exploiting OAuth tokens, third-party integrations, and the trust organizations place in connected applications. Every platform in your environment that lacks active monitoring is a potential blind spot.

Human Error Still Drives the Majority of Federal Breaches

For all the attention AI-powered threats deserve, the 2025 Verizon Data Breach Investigations Report found that 60% of all breaches still involve the human element: employees clicking phishing links, reusing passwords, or mishandling sensitive data. IBM reports that 42% of CISOs identify employee carelessness as their top cybersecurity risk, and just 8% of employees account for 80% of security incidents.

The most expensive breach often starts with the simplest mistake. Federal Salesforce teams are particularly exposed because most don’t receive Salesforce-specific security training. They know general cybersecurity hygiene, but not where files enter Salesforce unscanned, how URLs bypass detection across custom objects, or what outbound emails leave their org without inspection.

Supply-Chain Attacks Already Compromised 960+ Salesforce Orgs in 2025

In 2025, a supply-chain attack exploiting OAuth tokens in Salesforce integrations compromised over 960 organizations, including Fortune 500 companies with mature security programs. The attackers didn’t exploit a Salesforce platform vulnerability. They exploited the trust organizations placed in connected applications, using compromised OAuth tokens to access Salesforce data through third-party integrations like Salesloft and Gainsight. The ShinyHunters extortion group claimed their total victim count reached approximately 1,500 organizations.

CISA blocked 2.62 billion malicious connections within the federal civilian network in 2025. The question is not whether attackers are targeting the platforms your agency depends on. It’s whether your Salesforce org has the same level of visibility as the rest of your security stack.

Where Salesforce’s Native Security Leaves Gaps in Threat Detection

Salesforce invests heavily in infrastructure security, access controls, and encryption. But comprehensive threat detection for content flowing through your org is not part of that scope, and most federal teams don’t realize where the gaps are until an audit surfaces them.

Unscanned file uploads across every entry point. Files entering through any Salesforce Cloud solution with a portal, Email-to-Case, Chatter, Slack, WhatsApp, and API integrations are not scanned for malware. Whether your agency runs Experience Cloud, Health Cloud, Financial Services Cloud, or Government Cloud, the gap is the same. Salesforce provides file type filtering based on extensions and MIME types, but an attacker who renames a malicious executable to “application.pdf” passes through because filtering trusts the extension.

Salesforce introduced a beta virus scanning feature in the Spring ’26 release, a positive step. But it’s a beta with limited support that doesn’t address URLs, outbound emails, or the broader attack surface. Our CEO tested it head-to-head against EzProtect with a real virus. See what got through and what didn’t.

Malicious URLs hiding in plain sight. URLs embedded in case comments, email fields, custom objects, and text fields across your org go entirely unscanned. A phishing URL in a support case can redirect an agent to a credential-harvesting site without triggering any alert.

Outbound emails bypassing your security gateway. Emails sent from Salesforce bypass your traditional email security tools entirely. Your agency could unknowingly distribute threats to constituents, partners, and other agencies.

No incident response framework for Salesforce-specific threats. Most agencies have incident response procedures for network and endpoint threats, but not for threats that live inside Salesforce objects, fields, and files.

How EzProtect Closes These Gaps

Before evaluating any Salesforce security solution’s capabilities, federal teams need to answer a threshold question: which country’s laws govern your vendor’s data? Data residency, where your data physically sits, is only half the equation. Data sovereignty asks which government can legally compel your vendor to hand over that data. Foreign vendors remain subject to their home government’s laws regardless of where their servers are located. The law follows the corporation, not the server.

For agencies navigating DFARS foreign ownership certification requirements, this is often the determining factor. Every EzProtect team member with access to federal data is a U.S. citizen operating on U.S. soil. U.S. law is the only law that governs your data.

EzProtect was purpose-built for Salesforce, covering every entry point without disrupting operations. Zero trust file protection blocks every file from download until multi-layer scanning completes in seconds, including signature detection, AI-powered behavioral analysis, and true file type detection that reads binary content regardless of extensions. URL scanning detects malicious URLs across unlimited fields and objects. Outbound email protection scans all attachments before they leave Salesforce. And our incident response framework, built on NIST guidelines, is implemented during onboarding before an incident occurs.

Our largest federal customer has processed over two million scans per month for years across their Salesforce environment. The platform was designed by our CEO, a Salesforce Certified Technical Architect with over two decades of platform security experience and author of Securing Salesforce Digital Experiences. EzProtect exists because he saw firsthand what generic security tools miss inside Salesforce.

Free Salesforce Security Training for Federal Teams

Salesforce Security Office Hours are free, bi-weekly sessions where federal practitioners and government IT leaders bring real questions about Salesforce compliance, threat detection, and data protection to CTAs and security experts who understand your environment. No sales pitch, no vendor demo. We also publish comprehensive multimedia Salesforce security content covering the topics discussed here and offer a free Salesforce Security Assessment that requires no access to your org.

Your team protects critical data every day. They deserve the Salesforce security knowledge and resources to do it with confidence.