Workday Warns of Phishing Risks Following CRM Platform Breach

Workday, a prominent human resources and financial management software provider, disclosed a data breach stemming from a social engineering attack that compromised a third-party customer relationship management (CRM) platform. The attackers exploited employee trust through impersonation tactics (posing as HR or IT) to gain unauthorized access to sensitive business contact information.

Severity Level: High

Incident Overview

• Date Breach Discovered: August 6, 2025
• Date Disclosed Publicly: August 15, 2025
• Attack Type: Social engineering (voice phishing, text phishing) and CRM compromise
• Systems Impacted: Third-party CRM (likely Salesforce)
• Workday Core Systems/Customer Tenants: Not affected

How The Breach Happened

1. Initial Vector: Social engineering (phishing + voice phishing) directed at employees.
2. Impersonation Tactics: Attackers contacted employees pretending to be internal staff (HR or IT), via phone calls or SMS.
3. Credential Harvesting: Victims were manipulated into authenticating malicious OAuth apps.
4. CRM Exploitation: These OAuth apps granted attackers access to the CRM environment integrated with Workday.
5. Data Exfiltration: Business contact data was harvested for potential use in further scams or fraud.
6. This incident is consistent with the ShinyHunters campaign that leverages malicious OAuth apps to extract CRM data and extort companies.

Data Exposed

• The compromised information was primarily business contact details, such as: Names, Email addresses, Phone numbers
• While this data is not highly sensitive, it significantly increases the risk of secondary phishing, impersonation, and extortion attempts targeting Workday clients and employees.

Threat Actor Profile

• Suspected Group: ShinyHunters
• Motivation: Data theft and extortion campaigns.
• TTPs Observed:
  • Voice phishing (vishing) and SMS phishing (smishing)
  • Malicious OAuth app integrations to Salesforce CRM
  • Credential harvesting and unauthorized data extraction
• Notable Victims in Same Campaign: Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Chanel, Google, etc.
• Historical Activity: Linked to Snowflake, AT&T, and PowerSchool breaches.
• Threat Level: High, due to global scale and persistent targeting of CRM/SaaS platforms.

Lessons Learned

• Even when customer core systems are not breached, third-party platforms can serve as weak links in the security chain.
• Exposed business contact details, though seemingly low risk, can be leveraged for larger-scale phishing and impersonation campaigns.
• Attackers increasingly exploit OAuth integrations and SaaS connections, making governance of third-party apps critical.

Recommendations

1. Conduct mandatory phishing and vishing simulation exercises to help employees detect impersonation attempts.
2. Establish a clear reporting mechanism for suspicious emails, calls, or texts.
3. Enforce multi-factor authentication (MFA) for all CRM and SaaS accounts, with adaptive MFA based on login context.
4. Apply least-privilege access controls for CRM data to minimize exposure of non-essential information.
5. Periodically audit employee access and revoke unused CRM accounts.
6. Implement strict OAuth app approval workflows for Salesforce and other CRM platforms.
7. Continuously monitor for unverified or malicious app integrations, a common vector used in ShinyHunters campaigns.
8. Regularly review and security-test CRM and SaaS vendors for resilience against social engineering campaigns.
9. Limit the type of customer data stored in CRM to reduce breach impact.

Source:

• https://blog.workday.com/en-us/protecting-you-from-social-engineering-campaigns-update-from-workday.html
• https://www.bleepingcomputer.com/news/security/hr-giant-workday-discloses-data-breach-amid-salesforce-attacks/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.