Advertisement
Security

Beyond Credentials: The Year Salesforce Was Used Against Itself

Microsoft details how threat actors bypassed traditional defenses to compromise Salesforce environments via OAuth and guest access.

··4 hours ago·2 min read
a computer screen with a cloud shaped object on top of it
Photo by Hazel Z on Unsplash
Advertisement

Corporate security teams have long prioritized the defense of user passwords and multi-factor authentication, yet a year-long campaign by threat actors linked to ShinyHunters has demonstrated that the most critical vulnerabilities often exist in the trust already granted to connected applications. Between mid-2025 and mid-2026, attackers successfully accessed Salesforce environments without resorting to conventional exploit techniques or credential harvesting.

The Anatomy of OAuth Misuse

Microsoft researchers mapped these unauthorized incursions into three distinct operational pathways. These methods exploit the very mechanisms designed to integrate SaaS platforms, turning legitimate OAuth connections into conduits for data exfiltration. Because these actions mimic authorized service traffic, standard authentication logs frequently fail to register the suspicious activity.

Mandiant's advice to defenders was blunt: these calls exploit a help desk's instinct to be helpful, standard identity checks often do not apply, and the safe move is to hang up and call back on a known-good channel.

— Mandiant, Cybersecurity Firm

The Three Paths to Compromise

The first vector involved vishing, where attackers impersonated IT staff to persuade employees into authorizing a malicious connected app masquerading as the Salesforce Data Loader. The second path targeted third-party vendors, compromising their infrastructure to pilfer OAuth tokens and gain downstream access to customer Salesforce instances. Finally, the third path utilized misconfigured guest-user access, allowing unauthorized parties to query Aura endpoints and bypass standard record limits.

  • 700 organizations were potentially impacted by the Salesloft Drift compromise.
  • 200 affected Salesforce instances were linked to the Gainsight incident.
  • 1,000 organizations were estimated by the attackers to be reached across the Salesloft and Gainsight campaigns.
  • 90 days is the timeframe for identifying unused applications for potential revocation.

New Defenses for Modern Integrations

To combat this, Microsoft has integrated new governance and detection capabilities into Defender for Cloud Apps. By leveraging the Salesforce Shield Event Monitoring framework, security teams can now correlate API activity with specific application identities and OAuth scopes. Additionally, new posture assessment tools assign a 0 to 100 risk score to connected apps, enabling organizations to proactively decommission legacy integrations that remain active despite a lack of legitimate business utility.

Reframing the SaaS Security Paradigm

The primary takeaway for the industry is that modern identity controls are disproportionately focused on human users rather than the automated services that execute the bulk of business operations. As these campaigns illustrated, service accounts and third-party integrations often operate with excessive permissions and minimal oversight. Businesses must move beyond basic login security to enforce the principle of least privilege across all connected applications, ensuring that inactive credentials and over-scoped integrations do not become permanent entry points for unauthorized actors.

#cloud security#data breach#identity security#saas security#salesforce

Iliyas Mansuree

Founder & Editor, Xploitwire

16 years of experience in data privacy, cloud security, and information protection. More by this author →

← Back to all stories
Advertisement