Salesforce CRM is targeted by the BlackFile extortion group as a primary data exfiltration platform. No software vulnerability is exploited; the group abuses legitimate Salesforce API functions and OAuth-connected app permissions after gaining access via vishing-driven MFA bypass in the Microsoft 365 identity layer. Defenders must address Salesforce API governance, IP restrictions, and Event Monitoring logging as priority actions.