ShinyHunters Leverages OAuth Trust to Breach Salesforce Environments
A sophisticated campaign, attributed to the data-extortion group **ShinyHunters**, has spent the last year infiltrating corporate **Salesforce** environments without exploiting a single platform vulnerability. Instead, attackers have leveraged existing OAuth connections and misconfigurations, highlighting a critical blind spot in traditional security monitoring.
For over a year, threat actors aligned with **ShinyHunters** have been successfully breaching **Salesforce** environments by exploiting trust rather than technical flaws. Their methodology centers on abusing OAuth connections, which link **Salesforce** to various third-party applications and vendors.
New research from **Microsoft**, published July 13, details these campaigns, which ran from mid-2025 into mid-2026. **Microsoft** has identified three distinct intrusion paths and collaborated with **Salesforce** to deploy new detection and governance tools to address these elusive attacks.
Traditional sign-in and authentication monitoring often fails to detect these intrusions because access originates from legitimate user approvals or trusted integrations. The challenge lies in monitoring the actions of the connected app or account post-access, an area where standard **Salesforce** logging was previously insufficient.
**Microsoft** categorizes the attack vectors into three primary methods:
* **Vishing calls** that trick employees into authorizing malicious connected applications.
* **Stolen OAuth tokens** acquired from compromised software vendors.
* **Misconfigured guest access** on **Salesforce** sites.
Each method corresponds to a specific **Salesforce** incident observed over the past year, affecting various industries including retail, education, and manufacturing.
## The Vishing Onslaught
The initial wave of attacks, beginning in mid-2025, involved voice-phishing (vishing) calls. Attackers impersonated IT support, guiding employees through the **Salesforce** OAuth consent process to approve an attacker-controlled connected app disguised as **Salesforce**'s legitimate **Data Loader** tool.
Once consent was granted, the malicious app could make API calls on behalf of the user, allowing attackers to enumerate **Salesforce** data, maintain persistent access to CRM records, and search for credentials to other SaaS platforms. This technique required no malware or stolen passwords, only a phone call and a click of consent.
This campaign was previously documented by **Google**'s Threat Intelligence Group (**GTIG**) and **Mandiant** in mid-2025, tracking initial access as **UNC6040** and subsequent extortion as **UNC6240**. These groups often claimed affiliation with **ShinyHunters** to increase pressure on victims. **Google** itself confirmed a breach of one of its corporate **Salesforce** instances in June 2025, where largely public business contact data was exfiltrated. Similar incidents were linked to **Chanel**, **Pandora**, **Adidas**, **Qantas**, **Allianz Life**, and several **LVMH** brands.

**Mandiant**'s advice to defenders emphasized caution: these calls exploit the helpful nature of help desk personnel, often bypassing standard identity verification. The recommended safe practice is to hang up and call back on a known, verified channel.
## Stolen Tokens from Trusted Vendors
The second attack path bypasses direct employee interaction. Attackers compromise a third-party vendor whose application already possesses OAuth access to its customers' **Salesforce** organizations. They then steal connection secrets or tokens, using them to query and export data across numerous downstream instances simultaneously. This activity often goes undetected as the traffic originates from an already approved integration, blending in with normal automated processes.
**Microsoft** highlights three significant incidents here. The August 2025 **Salesloft Drift** compromise stands out, where attackers stole OAuth and refresh tokens linked to the **Drift AI** chat integration, subsequently targeting **Salesforce** customer environments. **Google** estimated that this token theft potentially exposed over 700 organizations, including **Cloudflare**, **Zscaler**, **Palo Alto Networks**, **Proofpoint**, **PagerDuty**, and **Tanium**. **Google** tracks this cluster as **UNC6395**, while **Cloudflare**'s **Cloudforce One** identifies it as **GRUB1**.
**Salesloft** traced the root cause to attacker access to its **GitHub** account as early as March 2025, which was then used to reach **Drift**'s **AWS** environment and harvest tokens. The attackers sought secrets, executing **SOQL** queries to find **AWS** keys, **Snowflake** tokens, and passwords, then deleting their query jobs to hinder investigations.
The November 2025 **Gainsight** incident followed a similar pattern against a different vendor. **Salesforce** disabled **Gainsight**-published apps after detecting unusual API activity, and **GTIG** linked the campaign to **ShinyHunters** affiliates across more than 200 affected **Salesforce** instances. The individuals behind the **ShinyHunters** moniker claimed the **Salesloft** and **Gainsight** campaigns collectively impacted nearly 1,000 organizations, though this figure remains unconfirmed.
The most recent case, from June 2026, is the **Klue** compromise. Attackers gained access to the competitive-intelligence platform via a long-disused but still-active legacy credential from a never-deployed test integration. They then pushed a code update that harvested customers' OAuth tokens, using them to access **Salesforce** and **Gong** data belonging to **Klue** customers, including **Huntress** and **Recorded Future**. **Microsoft** tracks the **Klue** actor as **Storm-3138**, although other security firms like **Huntress** and **Datadog** link the **Klue** extortion to a group calling itself **Icarus**, with a **Telegram** account claiming to be **ShinyHunters** also taking credit. This blurring of identities and opportunistic claims is a recurring theme across these campaigns.
## Unsecured Guest Access
The third attack vector requires no credentials at all. **Microsoft** observed a surge in suspicious guest-user activity targeting **Salesforce Aura** endpoints, which form the framework for **Experience Cloud** sites. Where guest-user permissions were misconfigured, threat actors could access **Aura** functionality without authentication.
By calling the **GraphQL Aura** controller, attackers used cursor-based pagination to extract records beyond the standard 2,000-record query limit, exfiltrating significantly more data than the guest role was intended to expose. **Microsoft**'s detection points to the **AuraInspector** tooling used to probe these endpoints. No exploit was necessary; the organizations simply left guest roles over-permissioned, allowing actors to extract valuable data.
## Enhanced Detection and Governance from Microsoft and Salesforce
The key to catching these attacks lies in analyzing post-access activity: identifying which connected app made a call, its OAuth scopes, query volume, and whether this behavior is normal for the tenant.
**Microsoft** has collaborated with **Salesforce** to surface this crucial telemetry within **Defender for Cloud Apps**. For customers utilizing **Salesforce Shield Event Monitoring**, the updated **Salesforce** connector now integrates the **Real-Time Event Monitoring** framework for near real-time detection. This enhancement includes connected-app attribution, linking activity to specific app identities and their granted OAuth scopes, along with more detailed session and API context.
Beyond detection, **Microsoft** has introduced posture and governance features for connected OAuth apps. These include a view of highly privileged apps with elevated scopes, a mechanism to identify unused apps that have been inactive for 90 days or more while retaining live permissions, and a 0 to 100 risk score per app that can be integrated with alerts and policies. The objective is to proactively identify over-permissioned and forgotten integrations before malicious actors exploit them.
## Shrinking the OAuth Attack Surface
**Microsoft**'s practical guidance, consistent with post-incident vendor recommendations, urges organizations to connect **Salesforce** instances to **Defender for Cloud Apps** for enhanced telemetry. Furthermore, enabling and actively monitoring **Salesforce** event logs is critical.