Microsoft is warning Salesforce customers that ShinyHunters-linked activity has been abusing trusted OAuth relationships, third-party integrations, and guest access paths to reach CRM data without exploiting a flaw in Salesforce itself.[1] The report, published on July 13, 2026, is useful because it moves the story away from one-off breach names and toward the control gap that keeps repeating: approved apps and integrations can become quiet data-theft channels.
According to Microsoft, the campaigns observed between mid-2025 and mid-2026 used three main paths. First, vishing pushed employees into approving attacker-controlled connected apps, sometimes disguised as a Salesforce Data Loader workflow. Second, attackers abused compromised trusted integrations, including incidents tied to Salesloft Drift, Gainsight, and the more recent Klue case. Third, Microsoft saw suspicious Salesforce Aura and GraphQL activity where misconfigured guest access exposed more data than intended.[1]
The important nuance for defenders is that these attacks can look like normal SaaS usage. When an OAuth app already has permission, or when a vendor integration is expected to call Salesforce APIs, ordinary sign-in alerts may not fire. Microsoft said the activity could allow CRM enumeration, bulk queries, report export, persistence, and exfiltration while inheriting the permissions of a real user or trusted application.[1]
What Salesforce admins should check now
Start with the connected-app inventory, not just the login dashboard. Review installed and external connected apps, granted OAuth scopes, refresh-token behavior, permitted-user settings, and whether self-authorization is still allowed where admin approval would be safer. Salesforce documentation notes that OAuth policies can define which users may access a connected app, IP restrictions, and refresh-token validity, while Event Monitoring provides access to detailed security and usage data across Salesforce apps.[3][4]
For a quick triage pass, look for high-privilege or stale connected apps, apps unused for 90 days or more, sudden API-heavy access, report exports, unusual connected-app IP addresses, new endpoints used by known integrations, and guest-user activity against Aura endpoints. Microsoft published Defender hunting ideas for Salesforce API events, report exports, connected-app activity, and very-high-risk users signing into Salesforce, plus IOCs including 138.226.246.94 and Aura-targeting IPs such as 103.75.11.78 and 103.75.11.110.[1]
Organizations that use Salesforce Experience Cloud should separately verify guest-user permissions. The danger is not only whether a page is public, but whether public guest context can reach objects, fields, or Aura endpoints that were never meant to expose CRM data at scale. If a partner, support, or marketing integration has broad Salesforce access, treat its token history as part of the incident surface, not as a harmless third-party detail.
This also connects to earlier SaaS identity incidents. The Klue Salesforce OAuth breach showed how a trusted app can become the access path; the Oracle PeopleSoft ShinyHunters attacks showed the same extortion ecosystem moving across enterprise platforms; and the recent Evilginx Microsoft 365 device-code campaign is another reminder that attackers increasingly target authorization flows and tokens rather than passwords alone.
The near-term response is straightforward: revoke unknown or over-permissioned apps, rotate secrets for exposed integrations, narrow OAuth scopes, disable unused vendor connections, audit recent Salesforce report exports and SOQL-heavy API activity, and confirm that guest profiles cannot read sensitive objects. If unexplained bulk access appears in logs, assume CRM data exposure until the specific app, user, object set, and export path are understood.
References
- Microsoft Security Blog, “Defending SaaS-based applications against ShinyHunters OAuth abuse”, July 13, 2026.
- The Hacker News, “Microsoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHunters Activity”, July 14, 2026.
- Salesforce Help, “Manage OAuth Access Policies for a Connected App”, reviewed July 14, 2026.
- Salesforce Help, “Event Monitoring”, reviewed July 14, 2026.
Leave a Comment