Microsoft maps three ShinyHunters-tradecraft OAuth-abuse paths against Salesforce customers — none exploiting a Salesforce vulnerability
Microsoft Threat Intelligence documented a year-long (mid-2025 to mid-2026) set of campaigns using tradecraft commonly associated with ShinyHunters (registry alias UNC6240) against Salesforce-integrated environments, through three distinct paths rather than any Salesforce product vulnerability (Microsoft Threat Intelligence, 2026-07-13). First, vishing-driven OAuth-consent abuse: attackers impersonating IT support socially engineer employees through the OAuth authorization workflow into granting a malicious connected app — disguised as the legitimate Salesforce Data Loader — full API access inherited from the victim's own privileges, letting them enumerate and exfiltrate CRM data through sanctioned application access that never trips a sign-in anomaly. Second, SaaS supply-chain compromise: compromised Salesloft Drift credentials (August 2025) exposed OAuth connection secrets reused across customer tenants; a November 2025 campaign abused Gainsight-published Salesforce apps the same way; and in June 2026 an actor Microsoft tracks as Storm-3138 compromised the Klue competitive-intelligence platform and reused harvested Salesforce credentials to query and exfiltrate customer CRM data. Third, guest-access abuse: requests chained against Salesforce's Aura framework via misconfigured guest-user accounts pulled far more data than a guest session should reach (The Hacker News, 2026-07-14). Microsoft observed the activity across retail, education and manufacturing tenants and states existing authentication-focused detections gave "limited visibility" because the traffic is indistinguishable from legitimate integration.
Threat actors socially engineered employees into authorizing attacker-controlled connected apps within their Salesforce tenant.
This activity was not the result of a vulnerability inherent to Salesforce.
malicious activity often appeared indistinguishable from legitimate Salesforce usage because threat actors operated through trusted identities, approved OAuth applications, and authorized integrations.
Defender actions
- Audit Salesforce connected apps for unrecognized or over-privileged OAuth grants — specifically apps posing as legitimate integration tooling (e.g. a Data Loader lookalike) and any connected app inactive for 90+ days — and revoke them; this is the trust relationship the campaign abuses, and it is invisible to sign-in-anomaly detection.
ATT&CK mapping
4 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1199Trusted Relationship
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
T1566.004Phishing: Spearphishing Voice
Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.
Credential Access TA0006
T1528Steal Application Access Token
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Exfiltration TA0010
T1567Exfiltration Over Web Service
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.