Active Exploitation Alert: ShinyHunters Abuse OAuth and Vendor Integrations to Breach Salesforce and SaaS Environments

Active Exploitation Alert: ShinyHunters Abuse OAuth and Vendor Integrations to Breach Salesforce and SaaS Environments

Executive Summary

Over the past year, the threat landscape for cloud-based CRM platforms has been dramatically reshaped by the activities of the ShinyHunters group, a notorious data-extortion collective. In a comprehensive investigation, Microsoft has mapped three distinct attack paths leveraged by ShinyHunters and their affiliates to compromise Salesforce environments. These attack vectors do not exploit traditional software vulnerabilities; instead, they abuse trusted OAuth connections, third-party vendor integrations, and misconfigured guest access permissions. The campaign has resulted in significant breaches across multiple sectors, including retail, education, manufacturing, and technology, with high-profile incidents at organizations such as Google, Chanel, Pandora, and others. This report provides a detailed technical analysis of the tactics, techniques, and procedures (TTPs) employed, the scope of exploitation, and actionable mitigation strategies for organizations leveraging Salesforce and similar SaaS platforms.

Threat Actor Profile

ShinyHunters is a well-established cybercriminal group specializing in data theft, extortion, and the sale of stolen information. Active since at least 2020, the group has evolved its operations from targeting traditional databases to orchestrating complex attacks against cloud SaaS ecosystems. In the context of the Salesforce campaign, ShinyHunters operated both directly and through affiliated clusters, including UNC6040, UNC6240, UNC6395, and Storm-3138/Icarus. These actors are adept at social engineering, supply chain compromise, and exploiting misconfigurations in cloud environments. Their operations are characterized by a dual focus on initial access (often via social engineering or vendor compromise) and subsequent extortion, frequently publicized through Telegram channels and dark web forums.

Technical Analysis of Malware/TTPs

The ShinyHunters campaign against Salesforce environments is distinguished by three primary attack paths:

The first attack path involves vishing-based social engineering to obtain OAuth consent. Attackers impersonate IT support personnel and contact targeted employees by phone, instructing them to authorize a malicious OAuth application masquerading as a legitimate tool such as Salesforce Data Loader. Once the user grants consent, the attacker-controlled app receives OAuth tokens, enabling it to perform API calls with the user’s privileges. This allows enumeration and exfiltration of sensitive data, persistent access, and lateral movement to other SaaS platforms. The attackers often delete query jobs to hinder forensic investigation and maintain stealthy persistence.

The second attack path exploits compromised third-party vendors with pre-existing OAuth access to customer Salesforce organizations. Attackers breach vendors such as Drift, Gainsight, and Klue, extract OAuth connection secrets and refresh tokens, and use these credentials to access and exfiltrate data from downstream customer instances. This method is particularly insidious because the malicious activity appears as legitimate automation from trusted integrations, bypassing many traditional security controls. For example, the compromise of Drift’s AI chat integration via Salesloft’s GitHub and AWS environments led to the theft of tokens affecting over 700 organizations, including Cloudflare, Zscaler, Palo Alto Networks, and others.

The third attack path targets misconfigured guest access on Salesforce Experience Cloud (formerly Community Cloud) sites. Attackers identify and exploit excessive permissions granted to guest users on Aura endpoints, leveraging the GraphQL Aura controller and cursor-based pagination to bypass record query limits and exfiltrate large volumes of data without authentication. The use of tools such as AuraInspector has been observed to probe and enumerate accessible endpoints, facilitating mass data extraction.

Across all three attack paths, the attackers demonstrate advanced knowledge of Salesforce architecture, OAuth flows, and the intricacies of SaaS integrations. The campaign leverages MITRE ATT&CK techniques including T1598 (Phishing), T1078 (Valid Accounts), T1556.003 (Steal or Forge Authentication Certificates: Web Session Cookie), T1552.001 (Unsecured Credentials: Credentials in Files), T1528 (Steal Application Access Token), T1190 (Exploit Public-Facing Application), and T1087 (Account Discovery).

Exploitation in the Wild

The exploitation of these attack paths has been observed in a wide array of sectors, with confirmed incidents at Google (public business contact data breach, June 2025), Chanel, Pandora, Adidas, Qantas, Allianz Life, and multiple LVMH brands. The compromise of vendor integrations such as Drift and Gainsight resulted in cascading breaches affecting hundreds of organizations, including major cybersecurity vendors like Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, PagerDuty, and Tanium. In June 2026, the exploitation of a legacy credential at Klue enabled attackers to push malicious code, harvest OAuth tokens, and access sensitive data from Salesforce and Gong environments, impacting companies such as Huntress and Recorded Future.

The attackers’ operational tempo is high, with rapid exploitation following initial access, swift data exfiltration, and immediate extortion demands. The use of Telegram and dark web channels for publicizing breaches and pressuring victims is a hallmark of ShinyHunters’ extortion methodology. The campaign’s reliance on abusing trust relationships—whether through social engineering, vendor compromise, or misconfiguration—underscores the evolving threat to SaaS ecosystems.

Victimology and Targeting

The targeting profile of this campaign is broad, encompassing retail, education, manufacturing, SaaS, luxury brands, airlines, insurance, and cybersecurity vendors. Geographically, the attacks have a global footprint, with notable incidents in North America, Europe, and Asia-Pacific. The common denominator among victims is reliance on Salesforce and the integration of third-party applications via OAuth. Organizations with lax controls over OAuth app authorization, insufficient vendor risk management, or misconfigured guest access are at heightened risk. The attackers demonstrate a preference for high-value targets with extensive customer or business data, but opportunistically exploit any accessible environment.

Mitigation and Countermeasures

To defend against these advanced attack paths, organizations should implement a multi-layered approach:

Continuous monitoring of OAuth app activity is essential. Leverage Salesforce Shield Event Monitoring and Microsoft Defender for Cloud Apps to track connected app authorizations, OAuth scopes, and session context. Regularly audit all connected apps, removing unused or over-permissioned integrations and enforcing least-privilege principles.

Restrict guest access on Experience Cloud sites by rigorously reviewing and minimizing guest-user permissions. Monitor for unauthorized data access, particularly via Aura and GraphQL endpoints, and employ tools to detect anomalous guest activity.

Strengthen vendor risk management by maintaining an up-to-date inventory of all third-party integrations, monitoring for unusual activity, and rotating credentials or OAuth tokens if compromise is suspected. Establish incident response playbooks that include the rapid revocation of OAuth tokens and investigation of suspicious app or API activity.

Educate employees on the risks of social engineering, particularly vishing attacks targeting OAuth consent flows. Implement robust identity verification procedures for IT support interactions and consider additional controls such as OAuth app whitelisting and step-up authentication for sensitive operations.

Finally, ensure that all SaaS configurations are regularly reviewed for adherence to security best practices, and that logs are retained and analyzed for signs of compromise.

References

Microsoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHunters Activity – The Hacker News: https://thehackernews.com/2026/07/microsoft-maps-year-long-shinyhunters.html?m=1

ShinyHunters and Scattered Spider: A Merger of Chaos in the 2025 Salesforce Attacks – Obsidian Security: https://www.obsidiansecurity.com/blog/shinyhunters-and-scattered-spider-a-merger-of-chaos-in-the-2025-salesforce-attacks

Salesforce Vishing Threat UNC604 – Varonis: https://www.varonis.com/blog/salesforce-vishing-threat-unc604

ShinyHunters Threat Actor Profile – Huntress: https://www.huntress.com/threat-library/threat-actors/shinyhunters

Cloudforce One: ShinyHunters Claims Cisco Breach: https://mallory.ai/stories/019d48b7-64f2-7dac-9bd1-943a7d9f1276

HelpNetSecurity: https://www.helpnetsecurity.com/2026/03/11/shinyhunters-salesforce-aura-data-breach/

SalesforceBen: https://www.salesforceben.com/shinyhunters-breach-400-companies-via-salesforce-experience-cloud/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, manage vendor risk, and ensure compliance with industry standards. For more information about how Rescana can help safeguard your organization’s SaaS and cloud environments, we are happy to answer questions at info@rescana.com.