Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

The ShinyHunters Attack: A Year of Exploiting Trust to Steal Salesforce Data


Microsoft recently mapped three distinct attack paths used by the ShinyHunters group to breach corporate Salesforce environments without exploiting any vulnerabilities within the platform itself. The attackers relied on OAuth connections and third-party vendors to gain trust, which allowed them to walk into these secure realms undetected.

  • ShinyHunters group breached numerous corporate Salesforce environments using OAuth connections and third-party vendors, without exploiting any vulnerabilities within the platform.
  • The attackers relied on trust extended through OAuth connections with approved apps and vendors to gain access to secure realms undetected.
  • Three attack paths were identified: vishing calls that tricked employees into approving malicious connected apps, stolen OAuth tokens from compromised software vendors, and misconfigured guest-access to Salesforce sites.
  • Microsoft worked with Salesforce to roll out new detection and governance tooling to address authentication logs and prevent similar attacks in the future.
  • The incident highlights the importance of robust security measures for Salesforce organizations, including regular inventorying and monitoring of connected apps and authentication logs.



  • The cybersecurity world was recently shaken by a shocking revelation regarding the activities of the notorious data-extortion group, ShinyHunters. In a comprehensive report published by Microsoft in collaboration with Salesforce, it was uncovered that the attackers managed to breach numerous corporate Salesforce environments without exploiting any vulnerabilities within the platform itself. Instead, they relied on the trust that organizations had extended through OAuth connections with approved apps and third-party vendors. This seemingly innocuous method allowed them to walk into these secure realms undetected.

    The research, which spanned over a year from mid-2025 to mid-2026, was conducted by Microsoft, which mapped three distinct attack paths used by the ShinyHunters group. These techniques were designed to exploit trust in various ways, including vishing calls that tricked employees into approving malicious connected apps, stolen OAuth tokens from compromised software vendors, and misconfigured guest access to Salesforce sites.

    The first attack path was initiated with vishing calls posing as IT support personnel, who guided employees through the OAuth consent screen. Upon granting consent, the attackers could make API calls as the authorized user, allowing them to enumerate Salesforce data, hold persistent access to CRM records, and hunt for credentials that might open doors to other SaaS platforms. This campaign was documented by Google's Threat Intelligence Group (GTIG) in mid-2025.

    The second attack path involved compromising a third-party vendor whose app already held OAuth access to its customers' Salesforce orgs. The attackers stole connection secrets or tokens, and used them to query and export data across multiple downstream instances at once. This approach allowed the attackers to blend into normal automation traffic, as it came from approved integrations.

    The third attack path was even more insidious, as it relied on misconfigured guest-user activity against Salesforce Aura endpoints. By using cursor-based pagination to pull records beyond the standard 2,000-record query limit, the attackers were able to access far more data than they should have, without requiring any credentials or exploit.

    In response to these attacks, Microsoft worked closely with Salesforce to roll out new detection and governance tooling aimed at addressing authentication logs. The group's related detection points used the AuraInspector tooling to probe these endpoints.

    Microsoft groups the activity into three intrusion paths: vishing calls that trick employees into approving a malicious connected app, stolen OAuth tokens from compromised software vendors, and misconfigured guest access to Salesforce sites. Each maps onto a Salesforce incident from the past year, with Microsoft saying they saw the activity across tenants in industries such as retail, education, and manufacturing.

    The attackers were able to reach these corporate environments without exploiting any vulnerabilities within the platform itself. Instead, they relied on the trust that organizations had extended through OAuth connections with approved apps and third-party vendors.

    A closer look at each of the three attack paths reveals how the ShinyHunters group managed to exploit this trust to gain access to Salesforce data. In the first campaign, Google's GTIG and Mandiant documented an initial access scenario that tracked back to UNC6040 in mid-2025. This was followed by an extortion campaign that continued until 2026, with Google confirming its own corporate Salesforce instance was hit in June 2025.

    The second attack path involved compromising a third-party vendor whose app already held OAuth access to its customers' Salesforce orgs. The attackers stole connection secrets or tokens, and used them to query and export data across multiple downstream instances at once. This approach allowed the attackers to blend into normal automation traffic, as it came from approved integrations.

    The third attack path was even more insidious, as it relied on misconfigured guest-user activity against Salesforce Aura endpoints. By using cursor-based pagination to pull records beyond the standard 2,000-record query limit, the attackers were able to access far more data than they should have, without requiring any credentials or exploit.

    In response to these attacks, Microsoft worked closely with Salesforce to roll out new detection and governance tooling aimed at addressing authentication logs. The group's related detection points used the AuraInspector tooling to probe these endpoints.

    The guidance from Microsoft is practical and aligns with the advice of vendors in each incident. It recommends that customers connect their Salesforce instances to Defender for Cloud Apps for additional telemetry, turn on and monitor Salesforce event logs, and lock down Experience Cloud guest-user access.

    In addition, Microsoft advises organizations to inventory connected apps, cut those that are no longer used, scope the rest to least privilege, and be prepared to revoke and rotate tokens as soon as an integration starts behaving oddly. This advice is grounded in the observation that the identity controls most companies spent the last decade building were made for human logins.

    The attackers who exploited this weakness ran their campaigns for a year, demonstrating how easily an organization's security posture can be breached by exploiting what appears to be trust. The fact that these attacks relied on OAuth connections and third-party vendors highlights the importance of inventorying connected apps and revoking unused permissions.

    Furthermore, it is essential for organizations to monitor authentication logs and be prepared to address any anomalies in real-time. This includes implementing governance features such as posture and risk scores per app, which can help identify over-permissioned and forgotten integrations before they become issues.

    The ShinyHunters attack serves as a stark reminder of the importance of robust security measures for Salesforce organizations. By exploiting trust through OAuth connections and third-party vendors, these attackers were able to breach corporate environments without leaving any signs of compromise. The key takeaway from this incident is that an organization's identity controls, which were built to protect human logins, may not be sufficient to prevent attacks against SaaS platforms.

    In conclusion, the ShinyHunters attack highlights the importance of robust security measures for Salesforce organizations and underscores the need for regular inventorying and monitoring of connected apps and authentication logs. By implementing these practices, organizations can reduce their risk of falling victim to similar attacks in the future.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-ShinyHunters-Attack-A-Year-of-Exploiting-Trust-to-Steal-Salesforce-Data-ehn.shtml

  • https://thehackernews.com/2026/07/microsoft-maps-year-long-shinyhunters.html


  • Published: Wed Jul 15 04:27:40 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us