Icarus extortion: dormant Klue credential → harvested OAuth tokens → bulk Salesforce CRM theft

A newly tracked extortion actor, Icarus (active since ~April 2026), compromised the backend of Klue Battlecards — a competitive-intelligence SaaS that integrates with customer Salesforce tenants over OAuth — and used it to steal CRM data from Klue's enterprise customers (ReliaQuest, 2026-06-17). Icarus obtained a dormant/prototype-integration credential, injected code into Klue's application layer to harvest the stored OAuth access tokens for each customer's Salesforce integration, then queried the Salesforce REST API directly (/services/data/v59.0/sobjects/ enumeration and /services/data/v59.0/query SOQL) for roughly 24 hours per victim before Salesforce flagged anomalous API usage and disabled the Klue integration platform-wide. The chain maps to T1199 Trusted Relationship → T1528 Steal Application Access Token → T1078.004 Valid Cloud Accounts → T1530 Data from Cloud Storage Object, bypassing every endpoint and network control the victim operates. Huntress self-disclosed that its own Salesforce sales data (contacts, internal communications, pricing) was exfiltrated, while confirming its own systems were not breached (Huntress, 2026-06-18). Icarus contacts victims directly under the alias "mr bean" on Session Messenger. Why it matters to us: delegated-OAuth grants to third-party SaaS are a perimeter-bypassing trust path that endpoint and network controls never see. Inventory Salesforce Connected-App OAuth grants, revoke dormant/prototype integrations, enforce short token TTLs and IP-range restrictions on grant policies, and stream Salesforce Event Monitoring (SObject-enumeration and bulk-SOQL patterns from integration users) to your SIEM.