Loading

Extended Login Anomaly Detections and Containment

Udgivelsesdato: Apr 29, 2026
Beskrivelse

What Changed 

To enhance customer data protection, Salesforce has implemented new AI-driven anomaly detection for login activity. These changes focus on mitigating potentially malicious account takeovers. When Salesforce detects significant deviations in a user's login behavior, automated response actions are triggered to protect the account.Those responses can include revoking all access, requiring a password reset (if password authentication is used), and notifying the org’s Salesforce admin.




When Did This Change Take Effect

 

Salesforce applied this change in early April 2026. You may also have received notifications in early March 2026 when Salesforce enabled this change on a temporary basis.

 

The existing Login Anomaly feature included in Shield Threat Detection will continue to operate through at least June 30, 2026. In rare cases, customers may see duplicate detections between the two methods.

 

Detection & Notification

Salesforce monitors login behavior, specifically for network activity, client, authentication events, and geolocation tags. When we detect certain novel usage patterns in that behavior, including certain uses of anonymizing proxies, we notify admins for affected instances of an anomaly detection and take steps to contain the subject user. We also notify admins (users with Modify All Data permissions) when we observe certain novel usage patterns in these behaviors in the absence of anonymizing proxies, which can also indicate suspicious login activity. 

 

Containment

The following actions are triggered when Salesforce detects significantly abnormal patterns in login behavior: 

  • The user is automatically frozen, effectively terminating all sessions granted to that user and leaving them without access until they are unfrozen by a Salesforce Administrator 

  • Any remaining access and refresh tokens granted to that user are then revoked.

  • If the user authenticates with a password, they’re required to reset that password after the Salesforce Administrator unfreezes them.

  • An email titled "Salesforce Security notification” is delivered to either Security Contacts (when populated) or users associated with the impacted org that have Modify All Data (MAD) permissions. 

Løsning

Resolve Login Containment Events

 

If you receive an email about a containment action, review the activity detailed in the email and take these steps:

 

  • If you recognize the affected login, we suggest that you instruct the user to avoid the use of VPNs with anonymizing proxies. If your business processes require the use of an anonymizing proxy, please open a case with Salesforce Customer Support via Salesforce Help to discuss alternatives.

  • If you don’t recognize the affected login, ensure that Multi-Factor Authentication (MFA) is strictly enforced for the user.

  • You may wish to review your logs for evidence of unauthorized activity. For a structured approach to analyzing Salesforce logs, see Salesforce Log Analysis Guide in Salesforce Help.

Vidensartikelnummer

005319571

 
Indlæser
Salesforce Help | Article