Preventing Connections from Anonymizing VPNs, Proxies and High-Risk IP Addresses

Starting November 20, 2025, Salesforce has been taking enhanced measures to protect against suspicious activity via anonymizing VPNs, proxies, or high-risk IP addresses; credential harvesting; and token theft. Beginning on April 24, 2026, Salesforce expanded these protective measures to include all Connected App and API traffic originating from anonymizing VPNs, proxies, and other high-risk IP addresses. 

After April 24, 2026, user accounts that are connecting from anonymizing VPNs, proxies, or other high-risk IP addresses — through Connected App or API usage — will be frozen and have their access blocked. 

What to Expect

Actions Taken When Anonymizing VPNs and Proxies or High-Risk IP Addresses are Detected

After April 24, 2026, when a Salesforce user account is detected as connecting from anonymizing VPNs, proxies, or high-risk IP addresses — through Connected App or API usage — the following actions will be taken immediately:

• The affected user account will be frozen.

• All OAuth refresh tokens granted to the user will be revoked.

• An email will be delivered to org admins from Salesforce Security (See Administrator Notifications below).

• The affected user will need to contact their org admin to restore access to their account.

Note: Users must ensure they are no longer connecting from an anonymizing VPN, proxies, or high-risk IP address before reauthorizing. Continued use of these services will result in repeated containment. 

Administrator Notifications

In the circumstances outlined above, an email titled "Salesforce Security notification” will be delivered to 1) the affected user and 2) all admins and users associated with the impacted instance that have Modify All Data (MAD) permissions. The notifications include the following information:

• The affected user ID

• Confirmation that automated security containment was applied

• Instructions for reviewing the affected account for suspicious activity

• Instructions for restoring access if the activity reflects typical usage for the affected user

How to Restore Access for Affected Users

If automated containment affects a user in your org, follow the steps outlined below:

1. Determine whether the detected activity reflects typical usage for this user by reviewing session information in Setup:

   1. From Setup, enter Session Management in the Quick Find box.

   2. Review session origin, authentication method, and connected app details.

   3. When reviewing session information, look for signs of suspicious activity, such as IP addresses from unfamiliar geographic locations, unexpected connected apps, or API calls occurring outside the user's typical work hours. For guidance on how to assess Salesforce logs, see the Salesforce Log Analysis Guide in Salesforce Help.

If the activity reflects typical usage for this user, an admin can take the following steps to restore an affected user account:

1. Unfreeze the affected user account and notify the user to reauthenticate and reset their passwords. For step-by-step instructions, see Freeze or Unfreeze User Accounts.

2. Notify the users to reauthorize connected apps to regain UI or API access as containment revokes OAuth refresh tokens. 

3. Note: Users must ensure they are no longer connecting from an anonymizing VPN, proxy, or high-risk IP address before reauthorizing. Continued use of these services will result in repeated containment.

For more information about user session information, see View User Session Information on the Session Management Page.