Overview
Microsoft has published new research mapping three distinct attack paths into Salesforce environments, all tied to a year of activity attributed to the ShinyHunters data‑extortion group. What makes these campaigns notable is that attackers did not exploit flaws in Salesforce itself — instead, they abused OAuth trust relationships and misconfigurations that organizations had already extended to apps and vendors.
The Three Attack Paths
- Vishing for OAuth Consent
- Attackers posed as IT support in phone calls, tricking employees into approving malicious connected apps disguised as Salesforce’s Data Loader.
- Once consent was granted, attackers gained persistent API access, enumerated CRM data, and harvested credentials.
- Documented by Google Threat Intelligence Group (GTIG) and Mandiant in mid‑2025, this campaign hit Google, Chanel, Pandora, Adidas, Qantas, Allianz Life, and LVMH brands.
- Stolen OAuth Tokens from Vendors
- Attackers compromised trusted third‑party vendors, stealing OAuth tokens to access downstream Salesforce instances.
- Salesloft Drift compromise (Aug 2025): exposed ~700 organizations including Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, PagerDuty, and Tanium.
- Gainsight incident (Nov 2025): affected 200+ Salesforce instances.
- Klue compromise (Jun 2026): attackers exploited a legacy credential to harvest tokens, reaching Salesforce and Gong data for customers like Huntress and Recorded Future.
- Misconfigured Guest Access
- Attackers exploited guest‑user permissions in Salesforce Experience Cloud sites.
- Using GraphQL Aura controllers, they bypassed query limits and extracted thousands of records.
- No exploit was required — just misconfigured access roles.
Why These Attacks Are Hard to Detect
- Traffic originates from trusted apps or integrations, blending into normal usage.
- Standard sign‑in monitoring often misses malicious activity because authentication logs show legitimate approvals.
- The real signal lies in what the app does once inside — queries, scopes, and API calls — areas where traditional logging has gaps.
Microsoft & Salesforce Response
Together, Microsoft and Salesforce rolled out new detection and governance tooling:
- Defender for Cloud Apps integration with real‑time event monitoring.
- Connected‑app attribution to tie activity to specific OAuth scopes.
- Risk scoring (0–100) for connected apps, highlighting over‑permissioned or inactive integrations.
- Governance features to surface unused apps and enforce least‑privilege policies.
Defensive Guidance
Microsoft’s recommendations for organizations:
- Inventory connected apps and cut unused ones.
- Scope integrations to least privilege.
- Rotate and revoke tokens at the first sign of suspicious activity.
- Lock down guest access in Experience Cloud sites.
- Enable Salesforce Shield Event Monitoring for deeper telemetry.
Expert in the Cloud Insight
These campaigns highlight a critical blind spot: identity controls were built for human logins, not OAuth apps or service accounts. Attackers exploited this gap for over a year, often using nothing more exotic than a forgotten credential or a phone call.
For defenders, the lesson is clear: OAuth governance is now as important as MFA. Organizations must treat connected apps and integrations as first‑class identities, with monitoring, least privilege, and rapid revocation policies.
Leave a Reply