Microsoft Maps Salesforce Attack Paths

Overview

Microsoft has published new research mapping three distinct attack paths into Salesforce environments, all tied to a year of activity attributed to the ShinyHunters data‑extortion group. What makes these campaigns notable is that attackers did not exploit flaws in Salesforce itself — instead, they abused OAuth trust relationships and misconfigurations that organizations had already extended to apps and vendors.

The Three Attack Paths

  1. Vishing for OAuth Consent
    • Attackers posed as IT support in phone calls, tricking employees into approving malicious connected apps disguised as Salesforce’s Data Loader.
    • Once consent was granted, attackers gained persistent API access, enumerated CRM data, and harvested credentials.
    • Documented by Google Threat Intelligence Group (GTIG) and Mandiant in mid‑2025, this campaign hit Google, Chanel, Pandora, Adidas, Qantas, Allianz Life, and LVMH brands.
  2. Stolen OAuth Tokens from Vendors
    • Attackers compromised trusted third‑party vendors, stealing OAuth tokens to access downstream Salesforce instances.
    • Salesloft Drift compromise (Aug 2025): exposed ~700 organizations including Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, PagerDuty, and Tanium.
    • Gainsight incident (Nov 2025): affected 200+ Salesforce instances.
    • Klue compromise (Jun 2026): attackers exploited a legacy credential to harvest tokens, reaching Salesforce and Gong data for customers like Huntress and Recorded Future.
  3. Misconfigured Guest Access
    • Attackers exploited guest‑user permissions in Salesforce Experience Cloud sites.
    • Using GraphQL Aura controllers, they bypassed query limits and extracted thousands of records.
    • No exploit was required — just misconfigured access roles.

Why These Attacks Are Hard to Detect

  • Traffic originates from trusted apps or integrations, blending into normal usage.
  • Standard sign‑in monitoring often misses malicious activity because authentication logs show legitimate approvals.
  • The real signal lies in what the app does once inside — queries, scopes, and API calls — areas where traditional logging has gaps.

Microsoft & Salesforce Response

Together, Microsoft and Salesforce rolled out new detection and governance tooling:

  • Defender for Cloud Apps integration with real‑time event monitoring.
  • Connected‑app attribution to tie activity to specific OAuth scopes.
  • Risk scoring (0–100) for connected apps, highlighting over‑permissioned or inactive integrations.
  • Governance features to surface unused apps and enforce least‑privilege policies.

Defensive Guidance

Microsoft’s recommendations for organizations:

  • Inventory connected apps and cut unused ones.
  • Scope integrations to least privilege.
  • Rotate and revoke tokens at the first sign of suspicious activity.
  • Lock down guest access in Experience Cloud sites.
  • Enable Salesforce Shield Event Monitoring for deeper telemetry.

Expert in the Cloud Insight

These campaigns highlight a critical blind spot: identity controls were built for human logins, not OAuth apps or service accounts. Attackers exploited this gap for over a year, often using nothing more exotic than a forgotten credential or a phone call.

For defenders, the lesson is clear: OAuth governance is now as important as MFA. Organizations must treat connected apps and integrations as first‑class identities, with monitoring, least privilege, and rapid revocation policies.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.