ShinyHunters Abuses OAuth to Target SaaS Applications, Including Salesforce
Microsoft has observed threat actors, likely associated with the ShinyHunters group, exploiting OAuth relationships and trusted workflows to gain unauthorized access to SaaS applications like Salesforce.

Microsoft has identified a series of campaigns, spanning from mid-2025 to mid-2026, where threat actors exhibiting tradecraft consistent with the ShinyHunters group have targeted Software-as-a-Service (SaaS) applications, notably Salesforce instances. These attacks did not exploit inherent software vulnerabilities but rather abused trusted OAuth relationships and legitimate workflows to achieve unauthorized access, exfiltrate data, and maintain persistence.
The intrusion methods employed by the attackers were multifaceted, primarily falling into three categories: voice phishing (vishing) to trick users into authorizing malicious OAuth applications, supply chain compromises targeting trusted third-party integrations, and the exploitation of misconfigured guest access. These techniques allowed attackers to leverage inherited user and application privileges, enabling them to query sensitive customer relationship management (CRM) records and evade conventional authentication-based detection mechanisms.
One prominent attack vector involved vishing campaigns where actors impersonated IT support personnel. They socially engineered employees into granting consent for attacker-controlled applications within their Salesforce tenant, often disguising malicious apps as legitimate tools like Salesforce Data Loader. Once authorized, these privileged OAuth applications facilitated API calls on behalf of the victim user, leading to enumeration of Salesforce instances, persistent access to CRM data, and potential lateral movement into other SaaS platforms via discovered credentials.
Another significant strategy involved supply chain compromises. Attackers escalated their efforts by targeting third-party SaaS vendors that integrate with Salesforce. For instance, compromised Salesloft credentials in August 2025 allowed attackers to obtain connection secrets and use OAuth tokens to access multiple customer Salesforce instances. Similar tactics were observed in November 2025 targeting Gainsight-published applications, enabling persistent API access. More recently, in June 2026, the market intelligence platform Klue was also targeted, with threat actor Storm-3138 gaining access and using credentials to exfiltrate Salesforce customer data.
The third observed intrusion path involved the abuse of misconfigured guest access. Microsoft noted an increase in suspicious guest-user activity targeting Salesforce Aura endpoints. Attackers leveraged unauthenticated access to Aura framework functionality and employed GraphQL-based requests to systematically query and retrieve data. By chaining these requests and bypassing standard record-retrieval limitations, actors could extract large volumes of data that would typically be inaccessible to guest users.
Across all these intrusion paths, the common thread was the reliance on inherited trusted application or user privileges, making the malicious activity difficult to distinguish from normal operations. This quiet persistence and large-scale data access underscore the critical need for enhanced detection, visibility, and governance of OAuth-connected applications and guest user accounts within SaaS environments.
Microsoft has collaborated with Salesforce to improve telemetry granularity in Defender for Cloud Apps, offering near-real-time detection, connected application attribution, and expanded application permission insights. The observed activity impacted various industries, including retail, education, and manufacturing, highlighting the widespread risk to sensitive data and downstream SaaS ecosystems.