• Product

    Product Overview

    Discover, secure and manage AI agents & NHIs

    Learn more

    CAPABILITIES

    Discover

    Maintain real-time inventory of all AI agents, MCP servers, and NHIs, with context to understand risk and business usage.
    Secure

    Identify and remediate AI agents and NHIs with excessive privileges, vulnerable configurations, abnormal activity, and policy violations.
    Deploy — powered by ACP (Agent Control Plane)

    Provision secure-by-design AI agents with short-lived credentials, just-in-time, precisely scoped access, and policy at creation.

    Supported environments

    Astrix logo: five black and white interlocking loops, symbolizing secure non-human identity and NHI Management leadership.
    A vibrant, ribbon-loop logo in blue, green, yellow, orange, and pink. Astrix: the leader in NHI security and service account protection.
    Astrix, the leading NHI Security platform, expertly manages the security of non-human identities. Alt text: Black silhouette of a featureless cat inside a circle, resembling the GitHub logo.
    Astrix, the leading NHI security platform, ensures robust protection and management for non-human identities.
    Astrix is the leading platform in NHI Management and Service Account Security. *Alt Text: A white ship's wheel symbol inside a blue hexagonal shape, representing leadership in non-human identity security.*.
    A geometric logo with interlocking shapes in red, green, blue, and yellow on a transparent background representing Astrix. Astrix: The leading platform for NHI Management and service account security solutions.
    Astrix, the leading NHI security platform, showcases a blue gradient abstract shape akin to a stylized mountain on white background.
    Blue circular icon with antennae, stylized non-human face; Astrix: the leading NHI Management and service account security platform.
    Astrix is the leading NHI Security platform, providing top-tier service account and non-human identity management solutions.
    Astrix: the leading NHI security platform, safeguarding non-human identities and service account integrity.
    Astrix: Leading platform for NHI Management and service account security.
    Astrix: The leading NHI Security platform, ensuring robust service account and non-human identity protection. Alt text: Blue Windows logo with four rectangles forming a window shape on a transparent background.
    more
  • Use Cases

    AI AGENTS

    Discovery and Governance for AI Agents
    Discovery & Governance for AI Agents

    Set policy to resolve hygiene issues, reduce attack surfaces and prevent compliance violations.

     Agentic Threat Detection & Response (ATDR)
    Access & Lifecycle Management for AI Agents

    Manage AI agents and their NHIs from provisioning to decommissioning.

     Agentic Access & Lifecycle Mgmt
    Agentic Threat Detection & Response (ADR™)

    Detect and respond to threats such as compromised credentials and out-of scope agent actions.

    non-human identities

    NHI Discovery & Governance

    Control and enforce policies across your NHI attack surface.
    NHI Lifecycle Management

    Manage NHIs from provisioning to decommissioning.
    Non-Human ITDR

    Detect and respond to suspicious NHI activity & 3rd party breaches.
    Secret Management

    Centralized secret management across vaults & cloud.
    Third-Party Risk Management

    Discover and assess third-party apps & vendors accessing your environment
  • Company

    COMPANY

    About Us

    The industry leader in AI Agent and Non-Human Identity security
    Careers

    The latest job opportunities

    Partners

    Explore partnership opportunities
    News

    Company announcements and press
    Contact Us

    Ask us anything
    The NHI Security Conference

    Watch the sessions on-demand

    Customer Stories

    Astrix is the leading NHI Security platform, safeguarding non-human identities in service account environments. Alt text: Astrix logo with a focus on securing non-human identities and service accounts.
    Workday

    HRTech

     A red sphere with white bands, symbolizing secure NHI Management by Astrix, the leader in NHI and service account security.
    Xerox

    Technology

     Orange HubSpot logo on a light background. Astrix is the leading platform for NHI Management and service account security.
    HubSpot

    Tech - CRM

     Astrix: The leading platform for NHI Management, securing non-human identities and service accounts efficiently. Alt Text: A stylized lowercase blue letter "b" with an orange dot above the upper right curve on a transparent background, representing Astrix, the leading NHI Security platform.
    Boomi

    Technology

     Astrix is the leading platform in NHI Management and service account security, safeguarding your non-human identity assets.
    BigID

    Cybersecurity

     Astrix: Leading NHI Security Platform with Advanced Non-Human Identity Management.
    Workato

    Technology

     Astrix is the leading platform for NHI Management and service account security. Alt text: A black Celtic knot design, showcasing a circular pattern with interconnected loops and swirls.
    Mercury

    Digital Banking

     Astrix's logo: A blue-striped triangular play button with overlapping shapes, embodying our leadership in NHI security. Alt text: Blue-striped triangular play button logo with overlapping shapes, symbolizing three-dimensionality and Astrix's NHI security expertise.
    Pagaya

    Fintech

     Dark green geometric logo with two diamonds forming a hexagon. Atrix: The Leading NHI Security Platform.
    RevMed

    Biotech

     Astrix's blue geometric house icon symbolizes excellence as the leading NHI Security platform.
    Guesty

    Tech - Real Estate
    More customer stories
  • Learn

    Resources

    AI agent & NHI glossary

    Resources

    Blog

    The latest on AI agent & NHI threats, products stories and more
    Events

    Meet Astrix at industry leading events
    Videos

    Watch on-demand sessions and expert insights

    News

    The latest company announcements and press
    Customer Stories

    How our customers secure their NHIs with Astrix
    Whitepapers

    Latest reports and whitepapers about NHI security
    Explore all

    AI agent & NHI glossary

    Agentic AI

    What is Agentic AI and related NHI risks
    Model Context Protocol

    Core concepts, functional components, and technical capabilities
    Service Accounts

    What are they & common vulnerabilities

    Machine Credentials

    How attackers exploit them & how to prevent it

    OAuth Tokens

    The risks they pose & how to secure them
    Non-human identities

    Definition, common use, and why they're important to secure
    Explore all

    WHAT’S NEW

    Meet Astrix’s AI Agent Control Plane (ACP)
    Astrix’s Agent Control Plane (ACP): Secure AI Agents from Day One
    NHI Governance for AI Agent Security in the Age of ChatGPT-5
    AI Agent Governance at Scale with NHI Security: Case Study
Book a demo

Critical Update: Astrix Research Team Discovers UNC6395 OAuth Compromise Spanning Salesforce, Google Workspace, and AWS

Tomer Yahalom September 2, 2025
A Salesforce logo links to server icons, symbolizing NHI Management. Astrix is the leader in Non-human Identity Security.

Following Google Threat Intelligence Group’s (GTIG) initial disclosure of the UNC6395 campaign targeting Salesforce environments through compromised Salesloft Drift OAuth tokens, Astrix Security has uncovered significant expansion of the threat actor’s activities across multiple cloud platforms. Our investigation reveals previously undisclosed attack vectors and provides critical indicators of compromise (IoCs) for security teams.

Background: The Initial Discovery

Between August 8 and 18, 2025, threat actor UNC6395 leveraged compromised OAuth tokens from the Salesloft Drift application to infiltrate Salesforce organizations. The campaign involved bulk data exfiltration and credential harvesting, specifically targeting AWS and Snowflake secrets while successfully bypassing multi-factor authentication (MFA) controls.

Salesforce and Salesloft responded on August 20, revoking all Drift tokens. Later, GTIG published a detailed report identifying the threat actor and its IoCs. Importantly, no core vulnerabilities were identified in the Salesforce platform itself.

In our initial advisory, Astrix recommended organizations take immediate action, including:

  • Comprehensive review of Event Monitoring logs for anomalous queries and bulk exports
  • Immediate revocation and rotation of potentially compromised tokens
  • Full audit of connected applications with enforcement of least-privilege principles
  • Thorough scanning of potentially exfiltrated datasets for exposed secrets

New Findings: Expanded Attack Surface

Astrix Security’s research team has identified critical new dimensions to this campaign:

Key Discoveries

  • Google Workspace Compromise

     The Drift Email OAuth application for Google Workspace was also actively exploited by UNC6395, specifically for email exfiltration

  • AWS Reconnaissance

     Identification of a suspicious AWS account systematically probing for publicly accessible S3 buckets

  • Expanded Infrastructure

     Discovery of 183 previously undisclosed IP-based indicators of compromise, all are Tor exit nodes

Immediate Remediation Steps

Google Workspace Protection

Organizations must immediately revoke Drift Email access from their Google Workspace environment:

  1. Navigate to https://admin.google.com/u/1/ac/owl/list?tab=configuredApps logged in as Workspace Administrator
  2. Select “Configure new app” and input the Drift Email application ID
  3. Select the Drift Email application and click Continue
  4. Configure restriction scope (entire domain or specific organizational units)
  5. Set access status to “Blocked”
  6. Confirm changes by clicking Continue and Finish

Log Analysis Requirements

Security teams should conduct comprehensive searches across:

  • AWS CloudTrail

     Identify S3 access attempts where the user identity originates from the suspected AWS account ID (see IoC section). The account ID appears under the userIdentity→accountId object 

  • All Security Logs

     Review any access from newly identified suspicious IP addresses during the campaign window (August 8-18, 2025). Since these addresses are Tor exit nodes shared by legitimate users, access from these IPs alone should not be considered malicious. Security teams should look for these addresses performing suspicious actions during the campaign window.

Technical Analysis: Threat Actor Methodology

Our investigation leveraged analysis of millions of non-human identity activity logs, cross-referencing against GTIG’s published IoCs with emphasis on non-Tor infrastructure for lower false positives.

Attack Pattern Analysis

The threat actor’s tactics, techniques, and procedures (TTPs) align precisely with GTIG’s documented behavior:

  • Systematic secret scanning within exfiltrated data
  • Lateral movement across cloud services using harvested credentials
  • Reconnaissance of publicly accessible resources following name extraction

AWS-Specific Activity

UNC6395’s AWS operations focused on anonymous access to S3 buckets, with bucket names likely extracted from compromised Salesforce environments. Failed authentication attempts inadvertently exposed the threat actor’s AWS account ID.

Our analysis indicates this malicious AWS account initiated operations in early August 2025, coinciding with the broader campaign timeline. The account generated traffic from 180 previously undisclosed IP addresses, all identified as Tor exit nodes.

Google Workspace App Breach

Update (August 29, 2025): After collaborating with Google Threat Intelligence Group (GTIG), we confirm that Google revoked all “Drift Email” Google Workspace OAuth tokens. If this app was authorized in your Workspace, those specific tokens have been invalidated by Google and no additional customer action is required to revoke them. However, Astrix and GTIG still recommend rotating any credentials/tokens issued to or used by Salesloft Drift, verifying the app is blocked/removed from allowlists, and reviewing Token/Gmail audit logs for any pre-revocation activity.

Most critically, we identified active UNC6395 operations through the Drift Email OAuth application in Google Workspace environments. This represents Salesloft Drift’s official Gmail integration and confirms that the token compromise extended beyond Salesforce infrastructure. Unlike the Salesforce tokens, these Google Workspace OAuth tokens remain active and continue to pose an immediate security risk.

Conclusion

This expanded understanding of the UNC6395 campaign makes one thing clear: comprehensive OAuth token management across every cloud is non-negotiable. Revoke suspect grants now, monitor continuously for the indicators we provided, and close the lateral movement paths created by chained OAuth abuse and harvested secrets.

Since non-human identities like service principals and application tokens are the pivots, Astrix delivers the coverage that matters: continuous NHI discovery, posture management, and threat detection, with automated remediation that cuts off abuse quickly.

For additional threat intelligence and updates on this developing situation, contact Astrix Security for a quick security assessment.

Indicators of Compromise

ValueDescription
1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com Google OAuth App ID
337122806991AWS Account ID
5.2.79.190Tor Exit Node
5.34.182.203Tor Exit Node
5.255.101.10Tor Exit Node
5.255.118.151Tor Exit Node
5.255.123.158Tor Exit Node
23.129.64.147Tor Exit Node
23.151.8.8Tor Exit Node
37.114.50.18Tor Exit Node
37.114.50.124Tor Exit Node
38.135.24.30Tor Exit Node
38.135.24.72Tor Exit Node
45.66.35.22Tor Exit Node
45.66.35.35Tor Exit Node
45.80.158.23Tor Exit Node
45.83.104.137Tor Exit Node
45.84.107.33Tor Exit Node
45.84.107.47Tor Exit Node
45.84.107.54Tor Exit Node
45.84.107.74Tor Exit Node
45.84.107.128Tor Exit Node
45.84.107.200Tor Exit Node
45.95.169.110Tor Exit Node
45.132.246.245Tor Exit Node
45.134.225.36Tor Exit Node
45.138.16.240Tor Exit Node
45.141.215.28Tor Exit Node
45.141.215.95Tor Exit Node
46.234.47.105Tor Exit Node
51.15.59.15Tor Exit Node
51.38.225.46Tor Exit Node
54.36.108.162Tor Exit Node
62.133.45.2Tor Exit Node
66.220.242.222Tor Exit Node
71.19.144.106Tor Exit Node
80.94.92.99Tor Exit Node
80.253.251.56Tor Exit Node
88.80.26.2Tor Exit Node
88.80.26.3Tor Exit Node
88.80.26.4Tor Exit Node
89.58.41.156Tor Exit Node
89.234.157.254Tor Exit Node
91.219.236.91Tor Exit Node
93.123.109.116Tor Exit Node
94.16.115.121Tor Exit Node
94.142.244.16Tor Exit Node
104.244.72.115Tor Exit Node
107.189.1.228Tor Exit Node
107.189.13.180Tor Exit Node
107.189.29.184Tor Exit Node
107.189.30.49Tor Exit Node
109.70.100.1Tor Exit Node
109.70.100.4Tor Exit Node
109.70.100.5Tor Exit Node
109.70.100.6Tor Exit Node
109.70.100.66Tor Exit Node
109.70.100.68Tor Exit Node
109.70.100.69Tor Exit Node
109.70.100.70Tor Exit Node
109.70.100.71Tor Exit Node
109.71.252.88Tor Exit Node
109.71.252.97Tor Exit Node
109.71.252.182Tor Exit Node
109.104.153.22Tor Exit Node
124.198.131.223Tor Exit Node
124.198.132.13Tor Exit Node
124.198.132.52Tor Exit Node
124.198.132.172Tor Exit Node
146.103.43.17Tor Exit Node
154.53.58.161Tor Exit Node
171.25.193.35Tor Exit Node
171.25.193.37Tor Exit Node
171.25.193.39Tor Exit Node
171.25.193.77Tor Exit Node
171.25.193.79Tor Exit Node
171.25.193.80Tor Exit Node
176.65.149.84Tor Exit Node
176.65.149.96Tor Exit Node
176.65.149.100Tor Exit Node
178.175.148.246Tor Exit Node
178.218.144.99Tor Exit Node
179.43.159.195Tor Exit Node
179.43.159.197Tor Exit Node
179.43.159.198Tor Exit Node
185.40.4.92Tor Exit Node
185.40.4.100Tor Exit Node
185.56.83.83Tor Exit Node
185.100.85.132Tor Exit Node
185.129.61.3Tor Exit Node
185.129.61.5Tor Exit Node
185.129.61.7Tor Exit Node
185.150.28.13Tor Exit Node
185.220.100.240Tor Exit Node
185.220.100.243Tor Exit Node
185.220.100.246Tor Exit Node
185.220.100.250Tor Exit Node
185.220.100.251Tor Exit Node
185.220.100.254Tor Exit Node
185.220.100.255Tor Exit Node
185.220.101.3Tor Exit Node
185.220.101.4Tor Exit Node
185.220.101.6Tor Exit Node
185.220.101.8Tor Exit Node
185.220.101.9Tor Exit Node
185.220.101.12Tor Exit Node
185.220.101.13Tor Exit Node
185.220.101.18Tor Exit Node
185.220.101.21Tor Exit Node
185.220.101.25Tor Exit Node
185.220.101.33Tor Exit Node
185.220.101.37Tor Exit Node
185.220.101.53Tor Exit Node
185.220.101.54Tor Exit Node
185.220.101.96Tor Exit Node
185.220.101.98Tor Exit Node
185.220.101.99Tor Exit Node
185.220.101.100Tor Exit Node
185.220.101.102Tor Exit Node
185.220.101.108Tor Exit Node
185.220.101.110Tor Exit Node
185.220.101.130Tor Exit Node
185.220.101.133Tor Exit Node
185.220.101.135Tor Exit Node
185.220.101.138Tor Exit Node
185.220.101.142Tor Exit Node
185.220.101.143Tor Exit Node
185.220.101.145Tor Exit Node
185.220.101.149Tor Exit Node
185.220.101.150Tor Exit Node
185.220.101.152Tor Exit Node
185.220.101.156Tor Exit Node
185.220.101.160Tor Exit Node
185.220.101.166Tor Exit Node
185.220.101.167Tor Exit Node
185.220.101.172Tor Exit Node
185.220.101.173Tor Exit Node
185.220.101.174Tor Exit Node
185.220.101.175Tor Exit Node
185.220.101.176Tor Exit Node
185.220.101.180Tor Exit Node
185.220.101.183Tor Exit Node
185.220.101.187Tor Exit Node
185.241.208.54Tor Exit Node
185.246.188.73Tor Exit Node
185.246.188.74Tor Exit Node
185.247.184.105Tor Exit Node
192.42.116.18Tor Exit Node
192.42.116.26Tor Exit Node
192.42.116.174Tor Exit Node
192.42.116.177Tor Exit Node
192.42.116.178Tor Exit Node
192.42.116.179Tor Exit Node
192.42.116.180Tor Exit Node
192.42.116.181Tor Exit Node
192.42.116.182Tor Exit Node
192.42.116.191Tor Exit Node
192.42.116.192Tor Exit Node
192.42.116.193Tor Exit Node
192.42.116.194Tor Exit Node
192.42.116.195Tor Exit Node
192.42.116.196Tor Exit Node
192.42.116.197Tor Exit Node
192.42.116.199Tor Exit Node
192.42.116.200Tor Exit Node
192.42.116.202Tor Exit Node
192.42.116.208Tor Exit Node
192.42.116.209Tor Exit Node
192.42.116.210Tor Exit Node
192.42.116.211Tor Exit Node
192.42.116.214Tor Exit Node
192.42.116.215Tor Exit Node
192.42.116.218Tor Exit Node
192.42.116.219Tor Exit Node
192.108.48.150Tor Exit Node
192.159.99.168Tor Exit Node
193.189.100.197Tor Exit Node
193.189.100.201Tor Exit Node
193.189.100.206Tor Exit Node
194.15.36.117Tor Exit Node
194.87.55.98Tor Exit Node
195.47.238.86Tor Exit Node
195.47.238.87Tor Exit Node
195.47.238.90Tor Exit Node
198.96.155.3Tor Exit Node

Learn more

Identity: The Missing Link in Agentic AI Security – Astrix Named in New Gartner® Report

Oleg Mogilevsky
Oleg Mogilevsky 15 Jan, 2026

Securing AI Agents at Scale: What’s New in Astrix

Oleg Mogilevsky
Oleg Mogilevsky 14 Jan, 2026

900K Users Compromised: Malicious AI Chrome Extensions Steal ChatGPT and DeepSeek Conversations

Alon Berger
Alon Berger 6 Jan, 2026

33 Arch Street Boston, MA 02110, USA

© 2026 Astrix Security. All rights reserved.