Klue / Icarus — one dormant integration credential cascades into multi-tenant Salesforce CRM theft

The Icarus extortion actor turned a single legacy credential at a SaaS integration vendor into bulk CRM theft across that vendor's customer base. First covered 2026-06-19: Icarus (active since ~April 2026) compromised the backend of Klue Battlecards — a competitive-intelligence SaaS that integrates with customer Salesforce tenants over OAuth — obtained a dormant/prototype-integration credential, injected code into Klue's application layer to harvest each customer's stored Salesforce OAuth access tokens, then queried the Salesforce REST API directly for ~24 hours per victim before Salesforce flagged the anomaly (ReliaQuest, 2026-06-17; daily 06-19). By 2026-06-21 the named victim list had grown to include Huntress, Recorded Future, Tanium and Jamf, the harvested tokens spanned Salesforce plus Gong, HubSpot and SharePoint, and Huntress forensics tied the abuse to Salesforce REST calls at /services/data/v59.0/query/ carrying a python-urllib User-Agent (Klue, 2026-06-19; Huntress, 2026-06-18; daily 06-21).

The chain — compromise an integration platform's legacy credential, harvest downstream OAuth tokens, query customer CRM APIs from the platform's legitimate IP range (T1199 → T1528 → T1078.004 → T1530) — bypasses every endpoint and network control the victim operates, and is the same trust-path class as the broader Salesforce-OAuth extortion wave. For CH/EU SOCs the takeaway is governance of delegated-OAuth grants: inventory and revoke dormant third-party SaaS integrations, enforce IP restrictions and short token TTLs on connected-app policies, and stream Salesforce Event Monitoring for non-user API principals and python-urllib-style callers.