Microsoft Maps Year-Long ShinyHunters Campaign Against Salesforce OAuth Trust
Microsoft has mapped a year of Salesforce intrusions tied to ShinyHunters tradecraft, none exploiting a platform flaw. Attackers walked in through OAuth trust: vishing, compromised vendor tokens, and misconfigured guest access.

Illustration representing a year-long OAuth-based attack campaign against Salesforce CRM environments through trusted third-party integrations.
Microsoft has published research mapping a year of intrusion campaigns against Salesforce environments, running from mid-2025 into mid-2026, tied to tradecraft associated with the data-extortion group ShinyHunters. None of the activity exploited a vulnerability in Salesforce itself. Every path in relied on trust the organisation had already extended, mostly through OAuth connections linking Salesforce to surrounding apps and third-party vendors.
That distinction matters for detection. When access comes through a connected app a user genuinely approved, or an integration the company already trusts, the resulting traffic looks like ordinary use. Standard sign-in and authentication monitoring barely registers it, because the failure point sits one layer beyond where most identity controls were built to look.
Microsoft groups the year of activity into three distinct intrusion paths. The first began with voice phishing calls, attackers posing as IT support and talking employees through Salesforce's OAuth consent screen to authorise a malicious connected app disguised as Salesforce's own Data Loader tool. Once approved, the app could make API calls as that user, enabling enumeration of CRM data, persistent access, and credential hunting across other connected SaaS platforms, all without malware or a stolen password.
The second path skipped employees entirely and went straight for the supply chain. Attackers compromised third-party vendors whose apps already held OAuth access to customer Salesforce environments, then stole the underlying tokens to query and export data across many downstream instances at once. Microsoft points to a progression of incidents built on this exact pattern, including the widely reported Salesloft Drift token theft in August 2025, a similar campaign against Gainsight-integrated apps in November 2025, and a more recent June 2026 incident affecting the Klue integration, where a long-dormant but still-active credential from an abandoned prototype integration gave attackers their way in.
The third path required no credentials at all. Microsoft observed a rise in suspicious guest-user activity against Salesforce's Aura framework, the backbone of Experience Cloud sites, where misconfigured guest permissions let attackers query and extract far more data than a guest role was ever meant to expose, using nothing more than pagination tricks against an open door.
This overall pattern, where the compromise runs through identity and access sprawl rather than a technical exploit, tracks closely with what regional analysts have already flagged as the dominant risk factor for financial institutions, where eighty per cent of breaches across the GCC in 2025 involved compromised credentials rather than software flaws. It also echoes the lesson from Trellix's own source code repository breach earlier this year: a vendor's security posture is now inseparable from every customer downstream of it, whether that vendor is a security firm or a CRM integration nobody has reviewed in years.
In response, Microsoft worked with Salesforce to expand visibility inside Defender for Cloud Apps, adding connected-app attribution, a 0 to 100 risk score per integration, and the ability to surface apps that have sat unused for 90 days or more while still holding live permissions. The practical guidance for any enterprise running Salesforce or comparable CRM platforms is unglamorous but specific: inventory every connected app, remove the ones nobody uses, scope the rest to least privilege, and be ready to revoke and rotate tokens the moment an integration starts behaving oddly.
Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA RegionOmar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.