Subscribe

Strengthening Salesforce Security Against AI-Driven Threats

Picture of T. Hasi
T. Hasi
Strengthening Salesforce Security Against AI-Driven Threats

The rapid expansion of AI has changed the cybersecurity risk landscape for every organization. At Salesforce, Trust is our #1 value, and we’ve always built our platform to be secure by design and to enable our customers as security partners. As AI-driven threats evolve and grow more sophisticated, we continue to lead the industry by hardening our defenses and enhancing security protections. We’re making it easier than ever for customers to act as part of our shared security responsibility — with readily available controls, by meeting them in-app, and continuously making their security experience easier.

As part of these efforts we are proactively enforcing stronger customer security practices and configuration settings, expanding our portfolio of security products, and introducing new expert-guided services for customers. No matter where you are on your security journey, Salesforce is with you every step of the way.

The rise of AI has fundamentally altered the tools and tactics used by malicious actors. Today’s attackers are using AI to automate credential theft, generate convincing phishing campaigns at scale, and conduct reconnaissance across vast numbers of targets simultaneously. Attacks that once required a skilled team of hackers can now be executed by a single bad actor armed with an AI-powered toolkit. In an AI-driven threat landscape where vulnerabilities can be exploited at rapid speed, it’s critical that customers and providers continue to take their commitment to shared security responsibility seriously. 

To better protect our customers from these quickly evolving threats, Salesforce is hardening customer configured controls in the Salesforce Platform that protect against these attack vectors:

  • Account Takeover (ATO): AI-enhanced credential stuffing and phishing attacks can compromise user accounts — even those with complex passwords — by bypassing traditional login protections. Once inside, attackers can operate undetected for extended periods.
  • Data Exfiltration: Bulk report exports and large data queries are prime targets. Sophisticated actors are using AI to automate these requests, extracting data at speeds that outpace manual detection.
  • Identity-Based Social Engineering: AI is enabling attackers to craft highly personalized phishing and vishing (phishing via phone call) campaigns using data harvested from earlier breaches. Admins and privileged users are especially high-value targets, because their access is broad. 

These are the exact vectors our Cyber Security Operations Center (CSOC) team responds to every day — and the controls we’re enforcing are designed specifically to address them.

Salesforce provides a secure platform by default, and we are committed to equipping our customers with the tools and visibility to evolve their security posture and stay ahead of this shifting landscape. That’s why beginning in June 2026, Salesforce is proactively enforcing stronger customer security practices and configuration settings across all customer orgs. Make sure to review the new Security-Related Product Updates article for official enforcement timelines. Below is a summary of what’s changing, and why it matters.

1. Multi-factor Authentication (MFA) for All Salesforce Users

MFA has been required for users since 2022. Beginning June 2026, MFA will be enforced for all user logins — direct UI and SSO — across both production and sandbox orgs. MFA adds a critical second layer of verification, and is the single most impactful control against account takeover.

2. Phishing-Resistant MFA for Admins and Privileged Users

Users with the System Administrator profile or permissions such as Modify All Data, View All Data, Customize Application, or Author Apex will be required to use Phishing Resistant MFA (PRMFA). Phishing-resistant methods are cryptographically bound to a specific site, making them resistant to adversary-in-the-middle phishing attacks. Though only privileged users are required to use PRMFA, we strongly encourage organizations to adopt this control for all users.

3. Step-up Authentication for Report Actions

A mandatory time-based step-up authentication framework will be implemented for report actions. Users are challenged after a configurable window (2–120 minutes, defaulting to 120) has elapsed since their last verification. Report exports are one of the most common vectors for data exfiltration. Verification at the point of data access — not just at login — ensures intent is confirmed even in a long-running session.

4. Step-up Authentication for Anomalous Report Behavior

Salesforce is making report actions more intelligent by implementing machine learning–based anomaly detection. When significant deviations from a user’s normal patterns are detected, the user is challenged with step-up MFA (an additional identity verification step) on their next report export or other sensitive action attempt before action is granted. 

5. Transaction Security Policy Enhancements (Shield and Event Monitoring Customers)

For customers with Salesforce Shield, we’re enhancing Transaction Security Policies (TSP) by upgrading passive monitoring into active prevention. A default TSP on ReportEvent will be triggered when a UI export exceeds 10,000 records, requiring step-up authentication, and a new Modify Transaction Security Policy permission will govern TSP management going forward, allowing the platform to intervene before data leaves the org.

6. Email Domain Verification

Email domain verification (already in enforcement) is required to send emails from Salesforce. With this change, emails will fail to send from Salesforce if the email domain isn’t verified via either an active DKIM key or a verified entry in the authorized email domain list. This is intended to help defend against AI-powered spoofing attacks.

7. Anonymizing Proxy Blocking

Salesforce blocks connections from anonymizing VPNs, proxies, and high-risk IPs, as well as through anomaly detection for login activity, helping to prevent unauthorized access to Salesforce. See the product change articles for the most up to date details and dates.

The platform-level enforcements outlined above are designed to significantly raise your security baseline. But those aren’t the only security controls available — customers also have access to built-in controls and add-on security products to assist them along the way.

Built-In Platform Controls

Every org includes powerful baseline tools available right now. One tool is Security Health Check, which is built into Setup and benchmarks your org against Salesforce’s baseline security standards. Health Check highlights potential misconfigurations that attackers may target, like weak password policies or overly long session settings, and surfaces a prioritized remediation list.

As of the Salesforce Spring ’26 release, the Security Health Check tool now features automated proactive notifications that alert admins to changes in their organization’s security score, making it easier than ever to have visibility into your org’s security controls.

Other strongly encouraged security controls include:

  • Login IP Restrictions: Limit authentication to trusted network locations, with an option to enforce IP validation on every request — not just at login.
  • Session-Level Policies: Configure the step-up authentication cadence for reports and dashboards directly from the Identity Verification page.

Salesforce’s Security Products

Salesforce also offers advanced controls to scale your security and customize your defense-in-depth strategy. These solutions are designed for customers who want enhanced levels of security, resilience, and compliance, like those managing sensitive data or operating in regulated industries.

Salesforce Shield 

Salesforce Shield offers a level of protection, visibility, and control that goes beyond the native platform baseline. With this powerful suite of data security products, you can monitor, encrypt, identify and classify with ease, safeguarding your critical and sensitive data. Shield consists of four products:

  • Event Monitoring provides comprehensive audit logs of more than 90 events including logins, data exports, and API calls. Transaction Security Policies (TSPs) let you define fully customizable, Flow-driven rules for blocking, alerting, or requiring step-up authentication on any monitored event. With the new default TSP for ReportEvent, Shield customers gain active exfiltration prevention from day one.
  • Field Audit Trail allows you to track changes for up to 60 fields per object and retain that data for forensic investigations and compliance audits indefinitely or customized to your needs.
  • Platform Encryption protects data at rest at the field level using customer-managed keys.
  • Data Detect helps you automate sensitive data discovery (like PII or credit card numbers) across your org. This allows you to quickly identify which fields may need to be classified or encrypted without manual scanning.

Security Center 

For customers managing one or more Salesforce orgs, Security Center aggregates security health data across every connected org into a single dashboard — surfacing configuration drift, compliance gaps, and threat detection signals without context-switching. 

Data Mask & Seed 

In both testing and production environments, data masking can help obscure personal or information. Data Mask & Seed allows you to provide realistic data for admins and developers while protecting sensitive customer information from leaks and unauthorized access. 

NEW: In-App Security Health Review for Signature Success Plan Customers

Another step we’re taking to help our customers identify and optimize their platform security is with the Security Health Review, a new expert-guided service currently available to Signature Success Plan customers. You can quickly evaluate 400+ security controls across your org by going to Setup directly in Salesforce and searching for “Security Health Review.” There’s also an Agent to assist with any questions along the way. From there, your Customer Success Manager (CSM) will partner with you to build a remediation plan to address all findings.

Unlike one-time competitor assessments, the Security Health Review isn’t a snapshot — we stay with you continuously along your journey, evolving recommendations as your org and the threat landscape change. For Signature customers preparing for the June 2026 enforcement wave, this is the most comprehensive readiness check available.

Salesforce’s 2026 security enforcement reflects our ongoing commitment to helping our customers stay ahead of the threat landscape. We’re meeting you where you are — in-app, in the platform, and now through expert-guided services — to make acting on shared security responsibility as straightforward as possible.

For the latest guidance, advisories, and resources, visit security.salesforce.com.

Join one of our upcoming webinars to learn more about the new Salesforce Platform security enhancements:

Join an upcoming Security in Action virtual workshop

Learn how to proactively protect your org, and stay current on security tools


offer illustration layout one


offer accent layout one


offer cloud layout one

Share this post :

Facebook
Twitter
LinkedIn
Pinterest

Create a new perspective on life

Your Ads Here (365 x 270 area)
Purchase Now
Latest News
Categories

Subscribe our newsletter

Stay updated with the latest tools and insights—straight from ToolRelay.

ToolRelay empowers your digital workflow with expertly curated tools and smart software solutions.

Quick Links

Legal Pages

Newsletter

Sign up our newsletter to get update information, news and free insight.

Copyright © 2025 ToolRelay, All rights reserved. Build by AQIVSOL.COM