A collection of high-impact campaigns linked by overlapping tradecraft to ShinyHunters, through which attackers abused trusted Salesforce OAuth relationships to bypass standard MFA protections, set up persistence, and exfiltrate CRM information at scale.
The exercise, noticed from mid-202520252025 by mid-202620262026, affected organizations in retail, schooling, and manufacturing.
Microsoft emphasised that the campaigns didn’t exploit an inherent Salesforce vulnerability. As an alternative, the operators manipulated official OAuth workflows, compromised trusted SaaS integrations, and abused overly permissive visitor entry configurations.
Essentially the most outstanding intrusion route concerned voice phishing, or vishing. Attackers impersonated IT help workers and persuaded workers to authorize attacker-controlled linked functions in Salesforce.
In confirmed instances, the malicious utility was introduced as a official Salesforce Information Loader utility.
As soon as a person authorized the OAuth consent request, the applying inherited that person’s permissions and will difficulty Salesforce API calls with out requiring the attacker to authenticate repeatedly.
This successfully neutralized MFA as a significant barrier, because the malicious exercise occurred by a legitimate, approved OAuth session moderately than by way of a stolen password or an anomalous login.
Microsoft mentioned the entry enabled attackers to enumerate Salesforce environments, question CRM information, preserve persistent entry, and doubtlessly uncover credentials that would facilitate motion into different SaaS companies.
In a collection of campaigns noticed between mid-2025 and mid-2026, Microsoft recognized menace actor exercise with overlapping tradecraft generally related to ShinyHunters, together with voice phishing (vishing).
As a result of the calls originated from authorized functions and operated with official person privileges, they might evade detections targeted on suspicious sign-ins.
Salesforce OAuth Abused
The menace actors additionally focused Salesforce-connected distributors and integrations. In August 202520252025, compromised credentials related to Salesloft Drift reportedly uncovered connection secrets and techniques utilized by downstream SaaS functions, enabling attackers to make use of OAuth tokens throughout a number of buyer Salesforce tenants.
A later marketing campaign in November 202520252025 affected Gainsight-published functions built-in with Salesforce. Based on Gainsight’s advisory, attackers abused trusted exterior connections to protect API entry throughout buyer environments.
Microsoft additional linked comparable strategies to the June 202620262026 Klue incident, the place Storm-3138 accessed credentials used to succeed in Salesforce buyer cases. Klue mentioned the actor used these credentials to find, question, and extract buyer information.
In every case, using official integration tokens made bulk discovery and export exercise resemble regular utility conduct.
Attackers may entry accounts, contacts, and service-case data with out producing the login anomalies generally related to account compromise.
Microsoft moreover noticed suspicious exercise towards Salesforce Aura endpoints. Attackers exploited misconfigured Expertise Cloud guest-user permissions and despatched GraphQL entry based mostly Aura requests to enumerate and retrieve uncovered information.
The exercise didn’t depend on a software program flaw. As an alternative, it exploited visitor entry granted past what was obligatory. By chaining Aura requests, attackers may bypass regular file retrieval constraints and extract considerably extra info than visitor customers ought to ordinarily entry.
Salesforce directors ought to overview Expertise Cloud guest-user safety steerage and take away pointless object, area, and file permissions.
Microsoft expanded its Defender for Cloud Apps Salesforce connector to help near-real-time Salesforce telemetry by Salesforce Defend Occasion Monitoring.
The improved integration offers connected-app attribution, OAuth scope visibility, API context, and risk-based insights for privileged or inactive functions.
Organizations ought to stock each linked and exterior shopper utility, validate OAuth scopes, revoke unused integrations, and examine functions holding broad administrative or data-access permissions.
They need to additionally monitor Salesforce occasion logs for bulk API queries, uncommon export patterns, newly approved linked apps, and surprising exercise from non-human identities.
The campaigns reveal that MFA alone can’t cease assaults that exploit trusted authorization. In SaaS environments, OAuth consent, third-party integrations, and visitor permissions have to be handled as essential id safety controls moderately than operational conveniences.
Indicators of compromise (IOC)
| Indicator  | Sort  | Description  |
| 138.226.246.94 | IP tackle | Utilized by the Klue integration to name Salesforce API to carry out CRM queries on June 11. Beforehand disclosed by Klue of their notification in regards to the breach. |
| 212.86.125.24 | IP tackle | |
| 213.111.148.90 | IP tackle | |
| 94.154.32.160 | IP tackle | |
| 103.75.11.78 | IP tackle | Used to focus on the Aura framework with visitor entry from June 19 to 22. These IP addresses weren’t beforehand revealed and have been found by Microsoft as a part of a novel marketing campaign. |
| 103.75.11.110 | IP tackle |
Word: IP addresses and domains are deliberately defanged (e.g., [.]) to stop unintentional decision or hyperlinking. Re-fang solely inside managed menace intelligence platforms comparable to MISP, VirusTotal, or your SIEM.
Cease Accepting SLAs Written for 2019 SOCs – Right here’s the 2026 AI SLA Vendor Guidelines – Obtain Free AI SOC SLA Information







