Table of contents
Do not edit: TOC will be auto-generated
Seeing “Drift” in your SaaS dashboard? Here’s what our CASB connector is actually telling you
In mid-August, attackers abused OAuth tokens tied to the Salesloft–Drift integration to reach connected systems—most visibly Salesforce. Salesforce responded by disabling connections with Salesloft (including Drift) and partners revoked tokens and removed the Drift application from the AppExchange. Limited data access was reported within Salesforce tenants between roughly August 8-18, 2025.
Why your dashboard might show Drift—even if you never installed it
Many public websites embed the Drift chat widget. When employees visit those sites, Microsoft CASB (and similar telemetry) can record Drift as web activity. This does not mean your tenant has authorized Drift via OAuth. CASB may show Drift simply because the widget appeared in a browser session—not because your organization was granted access. Revoking credentials is only necessary if a connected app was actually authorized.
Technical context: Why usage matters—and how we reduce false positives
CASB connectors, by design, can’t distinguish between simply browsing to a site and actual application usage. This leads to false positives with various applications. Adobe Marketing, for example, often appears as “used” because its popups or web elements are detected, even if the SaaS platform itself isn’t being used.
That’s why true usage validation is so important. Flexera’s browser extension offers detailed tracking of what users are actually doing, validating against real URLs for genuine application usage. Going beyond web URLs and maintaining a catalog of true URLs is a key Flexera capability, ensuring you get the data you need.
We pull data from as many sources as possible, but recognize the risk of “garbage in, garbage out.” Our platform strives to filter out noise and reduce false positives—and browser-based extensions backed by the Technopedia catalog excel at this.
How to sanity-check, calmly
Start in Salesforce and review your Connected Apps. If you don’t see Salesloft/Drift listed—and no integration user tied to it—there’s typically nothing to revoke. If you do find an authorization, disable the app, revoke/rotate credentials and review audit logs before re-authorizing with least-privilege scopes. Salesforce and affected organizations have provided clear guidance, emphasizing that the issue did not involve a vulnerability in Salesforce’s core platform.
What SaaS Management changes in moments like this
Incidents like Salesloft–Drift highlight third-party risk. Flexera One SaaS Management gives you a single view of what’s truly connected to your core platforms, what scopes it holds and when it was last used—so you can act decisively without overreacting to generic web telemetry. It helps standardize the response: Enumerate connected apps, revoke and rotate in the right order, notify owners of dependent workflows and re-authorize with tighter scopes. Post-incident, the same inventory supports routine hygiene—removing stale integrations, approving high-risk scopes and proving that OAuth access is rightsized.
Why this remains a third-party OAuth story
Public write-ups from Google’s Threat Intelligence team, Cloudflare and others describe token replays against trusted integrations. The pattern is clear: Platforms like Salesforce can be secure, but over-permissive or widely deployed connected applications become the path in. Understanding which applications are authorized in your tenant—and keeping those authorizations on a short leash—is the best way to reduce risk.
The bottom line
If you’re seeing “Drift” on CASB this week, it usually reflects web activity, not a tenant-authorized application. Verify your Connected Apps, take action only where OAuth access exists and keep permissions lean. Flexera’s SaaS Management dashboard helps you separate “seen on the web” from “authorized in our tenant” and browser-based extensions backed by Technopedia help minimize false positives.
