Attackers linked to the ShinyHunters data-extortion group are bypassing traditional security by exploiting OAuth connections and trusted third-party integrations to enter corporate Salesforce environments. According to research published July 13 by Microsoft, these intrusions avoid platform flaws entirely, instead utilizing vishing, stolen vendor tokens, and misconfigured guest access to export sensitive CRM data.
The Shift Toward OAuth and Integration Exploits
Modern security focuses heavily on human logins through MFA and conditional access. However, Microsoft reports that the “trust” organizations extend to connected apps creates a blind spot. When an attacker uses a legitimate OAuth token or an approved integration, the traffic appears as ordinary use. Standard authentication logs often fail to register these events because no “login” in the traditional sense is occurring.
This vulnerability allows actors to maintain persistent access to CRM records and hunt for credentials that could unlock other SaaS platforms. Because these integrations often hold elevated permissions, they become high-value targets for extortion groups.
Pro Tip: Periodically audit your “Connected Apps” list in Salesforce. Revoke permissions for any integration that hasn’t been used in 90 days to shrink your attack surface.
Three Primary Intrusion Paths Identified by Microsoft
Microsoft’s analysis of campaigns running from mid-2025 into mid-2026 reveals three distinct methods used to breach Salesforce tenants across the retail, education, and manufacturing sectors.

1. Vishing and Social Engineering
Attackers use voice-phishing (vishing) calls, posing as IT support to trick employees into authorizing a malicious connected app. In these cases, the app is disguised as the official Salesforce Data Loader tool. Once the user clicks “consent,” the attacker can make API calls as that user. Google’s Threat Intelligence Group (GTIG) and Mandiant documented this activity, tracking the initial access as UNC6040 and the extortion phase as UNC6240.
2. Compromising Third-Party Software Vendors
This method skips the end-user and targets the vendor. Attackers compromise a vendor’s environment, steal OAuth tokens, and use them to access all downstream customer Salesforce orgs. Microsoft highlighted the August 2025 Salesloft Drift compromise, where attackers accessed a GitHub account to reach Drift’s AWS environment. Google estimated this specific theft potentially exposed over 700 organizations, including Zscaler, Palo Alto Networks, and Cloudflare.
3. Misconfigured Guest Access
Some breaches require no credentials at all. Microsoft observed actors targeting Salesforce Aura endpoints within Experience Cloud sites. By exploiting misconfigured guest-user permissions, attackers used cursor-based pagination via the GraphQL Aura controller to bypass the standard 2,000-record query limit and export massive amounts of data.
Comparing the Impact of Vendor Breaches
The scale of these attacks varies based on the entry point. While vishing targets individual users, vendor compromises create a “one-to-many” effect.
| Incident | Method | Reported Impact |
|---|---|---|
| Salesloft Drift | Stolen OAuth Tokens | ~700+ organizations (Google est.) |
| Gainsight | API Abuse/Vendor Compromise | 200+ Salesforce instances (GTIG) |
| Klue | Legacy Credentials | Affected Huntress & Recorded Future |
Did you know? Google confirmed its own corporate Salesforce instance was hit in June 2025. Attackers took public business contact data before the company severed the connection.
New Detection and Governance Tooling
To combat these “invisible” logins, Microsoft and Salesforce integrated new telemetry into Defender for Cloud Apps. For users of Salesforce Shield Event Monitoring, the updated connector now utilizes the Real-Time Event Monitoring framework. This allows security teams to tie API activity to a specific app identity and its granted OAuth scopes.

Microsoft has also introduced a risk-scoring system (0 to 100) for connected apps. This helps administrators identify highly privileged apps that hold elevated scopes or those that have remained inactive for 90 days but still maintain live permissions.
How to Secure Salesforce OAuth Environments
Defenders should move beyond MFA and focus on the “non-human” identity layer. According to guidance from Microsoft and Mandiant, the following steps are critical:
- Inventory Connected Apps: Maintain a strict list of all third-party integrations and remove any that are no longer in use.
- Enforce Least Privilege: Ensure OAuth scopes are limited to the minimum required for the app to function.
- Lock Down Guest Access: Review Experience Cloud permissions to ensure Aura endpoints do not expose records to unauthenticated users.
- Verify Identity Channels: Mandiant advises employees to hang up on suspicious “IT support” calls and call back through a known-good corporate channel.
Frequently Asked Questions
What is an OAuth token?
An OAuth token is a digital key that allows a third-party application to access specific data in another service (like Salesforce) without needing the user’s password.
Why doesn’t MFA stop these attacks?
MFA protects the initial login. Once a user grants an OAuth token to an app, that app can access data via API calls without requiring the user to log in or provide MFA again.
Which industries are most at risk?
Microsoft reported seeing this activity across retail, education, and manufacturing tenants.
What is vishing?
Vishing is “voice phishing,” where attackers use phone calls to manipulate victims into revealing secrets or performing actions, such as approving a malicious app request.
Want to stay ahead of SaaS security threats? Subscribe to our newsletter for deep-dive analysis on cloud vulnerabilities and enterprise defense strategies.
