You are here:
New User Welcome Email Settings Control
The Salesforce "Link Expiration" setting for welcome emails is a security control that defines the timeframe for which a new user's activation link remains active.
Control Name
New User Activation
Recommended Configuration
- New User Welcome Email Setting Expiration set to 1 day
Setup>Session Settings>New User Welcome Email Settings>Link Expires in 1 day.
Control Overview
The Salesforce "Link Expiration" setting for welcome emails is a security control that defines the timeframe for which a new user's activation link remains active. By restricting this window, administrators ensure that unused or intercepted links are rendered useless after a brief period, minimizing the risk of unauthorized account access through stale credentials.
Security Risk If Not Configured
Without a strict limit on the expiration of user activation emails, the organization faces an increased risk of unauthorized account takeover if a "welcome" link is intercepted or accessed in a compromised email inbox long after it was sent. This extended window of opportunity allows threat actors to activate the account and set their own credentials, bypassing the intended security window and potentially gaining undetected entry into the Salesforce environment.
Threat Scenarios
A threat actor gains access to a user’s inbox and finds an unexpired activation link sent days or weeks earlier due to a lack of strict expiration limits. They successfully use the link to set their own credentials and hijack the account, gaining a legitimate foothold in your Salesforce environment before the actual user—or your security team—ever realizes there’s a problem.
Estimated CVSS Score Range
Critical (9.0–10.0).
Risk Impact Considerations
Increased risk depending on the user access scope.
Higher Risk When
The risk of long-lived activation links is significantly compounded by a lack of Multi-Factor Authentication (MFA) enforcement for initial logins, which allows an attacker who intercepts the link to gain full access with just a single factor.
Additionally, the absence of Login IP Ranges or trusted network restrictions for new users creates a wider attack surface, as there are no geographical or network-based barriers to prevent a remote threat actor from using the activation link from an unauthorized location.
Low or No Risk When
To minimize the risk of long-lived activation links, organizations should enforce Multi-Factor Authentication (MFA) for all new users, ensuring that an intercepted link alone is insufficient to gain access without a second verification factor.
Additionally, implementing Login IP Ranges at the profile or org level restricts the activation process to trusted corporate networks, effectively blocking remote threat actors from using stolen links from unauthorized locations.
Business and Integration Considerations
Administrator should consider the number of users and the environment of the users within their company that accesses the platform.
Recommended Remediation
Define link expiration for user activation email.
Security Health Review Guidance
Security Health Review confirms the New User Welcome Email Expiration setting is set to 1 day.
