September 15, 2025

FBI Alert: Salesforce Cyber Attacks Put Kansas City AEC Firms at Risk

Here’s the plain truth: if your firm relies on Salesforce to manage client relationships, bids, or project data, you’ve just been put on notice. The FBI released a FLASH alert on September 12, 2025, detailing how two cybercriminal groups UNC6040 and UNC6395 are actively targeting Salesforce platforms across industries, including architecture, engineering, and construction (AEC). Their goal? Steal data and extort firms like yours.

In a region like Kansas City, where over 1,200 AEC firms are competing for contracts, this threat has serious implications. A breach doesn’t just slow you down—it can derail federal bids, damage client trust, and put your compliance standing at risk.

Let’s unpack what this FBI warning means for AEC firms in Kansas City, and more importantly, how you can protect your business.

What the FBI Is Warning About

The FLASH report names two active campaigns:

  • UNC6040: The Vishing Crew
    Since late 2024, UNC6040 has been calling into company help desks pretending to be IT staff fixing “connectivity issues.” During the call, they trick employees into sharing login credentials or approving malicious Salesforce apps. Once inside, they use Salesforce’s own APIs to bulk-exfiltrate sensitive customer data.

  • UNC6395: The Token Hijackers
    More recently, UNC6395 compromised OAuth tokens tied to the Salesloft Drift chatbot, which integrates with Salesforce. Using those stolen tokens, they slipped into firms’ Salesforce environments to steal data until Salesforce revoked all Drift tokens in August 2025.

In both cases, attackers aren’t just stealing files, they’re leveraging trusted integrations to bypass security controls like MFA. That means the attack traffic looks “normal,” making it harder for traditional defenses to spot.

Some victims have even received extortion emails from groups like ShinyHunters demanding cryptocurrency payments to keep stolen data from being leaked.

Why Kansas City AEC Firms Are at Higher Risk

Kansas City’s AEC ecosystem has unique traits that make firms here particularly vulnerable:

  • Federal & Defense-Adjacent Work
    Many local engineers and subs touch municipal, utilities, or even defense-related projects. Federal compliance standards like NIST 800-171 and CMMC 2.0 are already table stakes. A Salesforce breach could sink a bid before it even leaves the drafting table.

  • Multi-Firm Collaboration
    KC’s construction scene thrives on partnerships. With over 346 million square feet of industrial space in play, multiple firms often share access to Salesforce data for bids, subs, and design collaboration. Every additional connection widens the attack surface.

  • Data-Heavy Workflows
    Large BIM models (1–10+ GB) and scan-to-BIM workflows already strain IT infrastructure. Add in Salesforce integrations for client tracking and vendor management, and you’ve got another treasure trove of sensitive data attractive to attackers.

  • Local Market Pressure
    Office vacancies here are below the national average, fueling steady downtown design work, while massive hyperscale data center builds are ramping up near KCI. Firms racing to meet deadlines may cut corners on security if IT feels like a bottleneck.

In short: Kansas City’s AEC firms have both the data value and the collaboration complexity that cybercriminals love to exploit.

The Stakes for Your Firm

Let’s put it in real-world terms for a KC firm:

  • Project Delays: If Salesforce access gets locked down during an incident, client communications and bid submissions can grind to a halt. In AEC, that means missed deadlines and angry owners.

  • Compliance Fallout: A Salesforce breach tied to Controlled Unclassified Information (CUI) could trigger reporting under federal contracts, jeopardizing eligibility for future defense work.

  • Reputation Damage: Imagine having to tell the City of Kansas City or a major developer that their data was leaked. In a tightly networked market like KC, word travels fast.

  • Financial Loss: Extortion demands plus downtime costs stack up. Add in higher cyber insurance premiums, and the price of unpreparedness multiplies.

FBI-Backed Mitigations for AEC Firms

The FBI’s FLASH didn’t just raise alarms it also listed practical steps firms can take. Here’s how they translate for Kansas City AEC leaders:

  1. Train Your Front Lines
    Call centers, project admins, and reception desks are the first line of defense. UNC6040 is exploiting people who answer the phone. Train them to spot vishing tactics like urgent IT tickets or requests for login codes.

  2. Enforce Phishing-Resistant MFA
    SMS codes are no longer enough. Use phishing-resistant MFA like hardware keys or app-based authenticators for Salesforce logins.

  3. Limit Privileges
    Apply the principle of least privilege. Not every user needs to approve Salesforce apps or run bulk data exports. Use AAA (authentication, authorization, and accounting) controls.

  4. Harden Third-Party Integrations
    Review every connected app in Salesforce. Rotate API keys and authentication tokens, and shut down unused integrations. If your firm uses Salesloft Drift, confirm that tokens were revoked after the August 2025 incident.

  5. Monitor for Anomalies
    Watch for unusual API calls or large data exports. Salesforce logs should be monitored alongside your broader SIEM or logging tools.

  6. Secure the Jobsite Too
    Don’t forget that jobsite trailers often run Salesforce-linked workflows for RFIs and client communications. Apply the same MFA, monitoring, and network restrictions there.

How Kansas City MSPs Can Help

Here’s the plain truth again: most AEC firms don’t have the bandwidth to chase every cyber alert. That’s where a specialized Managed Service Provider (MSP) with AEC expertise steps in.

For KC firms, the right MSP should offer:

  • BIM-Grade Security and Performance: Protect Salesforce without slowing down Autodesk or Procore workflows.

  • Jobsite IT Kits: Rapid-deploy firewalls, LTE/5G connectivity, and secure trailer setups so remote teams stay protected.

  • Compliance Roadmaps: Gap assessments for NIST 800-171 and CMMC 2.0, plus support for Missouri-specific breach notification rules.

  • Vendor Management: One partner to handle Salesforce, Autodesk, Procore, Bluebeam, and Microsoft because fragmented vendor support creates gaps.

An MSP that “speaks BIM fluently” and understands KC’s build cycle isn’t just nice to have it’s essential.

Localizing the Takeaway for Kansas City

Cybercriminals don’t care that your firm is in Kansas City, but your clients, contracts, and compliance officers do. With hyperscale data centers breaking ground near KCI and steady commercial development downtown, the stakes are only getting higher.

If your Salesforce platform gets compromised, you don’t just risk dat;a you risk being left behind in a fiercely competitive market.

The FBI has given AEC leaders a clear playbook. The question is: will you act on it before an attacker dials your number?

Final Word

AEC firms in Kansas City have weathered recessions, supply chain disruptions, and labor shortages. Cybersecurity is just the next storm to prepare for. The good news? The FBI has handed you the tools to fight back.

By training your people, locking down Salesforce integrations, and partnering with an MSP that knows both BIM and compliance, you can protect your data, your contracts, and your reputation.

Here’s the plain truth: in 2025, cybersecurity isn’t just IT’s problem it’s a business survival strategy.