No login to chase: a Salesforce Apex trigger that leaks on write

Salesforce runs your own code on every record write through Apex triggers and Flows. When an attacker has author rights, they can hide a backdoor in that automation and never log in again.

How the attack works

An account with author and deploy permissions plants an Apex trigger, or a record triggered Flow, on the Contact and Opportunity objects, along with a remote site or named credential pointing to an external endpoint. From then on, every normal record create or update fires the trigger, which posts record fields out to the attacker’s endpoint. The exfiltration blends into routine user activity and runs low and slow for days, scaling with normal write volume, with no anomalous login anywhere. In ATT&CK terms this is T1098, Account Manipulation, paired with T1567, Exfiltration Over Web Service.

Why it works

Too many principals could author and deploy Apex and add external callouts directly in production. Because the backdoor is platform resident code rather than a session, it keeps firing no matter what you do to the deployer’s login. There is no rogue sign in to detect.

How to fix it

The scenario teaches that chasing the session is the wrong move: the principal is code, so you have to remove the code. Locate and deactivate or delete the rogue trigger or Flow and remove its remote site or named credential callout, which stops the exfiltration on the next write. The durable fix is to restrict author and deploy permissions to a minimal set, require reviewed source controlled deployment, lock down remote sites and named credentials, and sweep all metadata for other rogue automations, since there may be more than one. The Setup Audit Trail shows who deployed what and when, and the event monitoring and callout logs scope which records were sent across the full multi day window.

Practice it

We built this as a GraphLattice Range scenario so responders can rehearse finding and removing platform code persistence when there is no login to chase.