ShinyHunters Abusing OAuth to Compromise SaaS Apps

Executive Summary

On 13 July 2026, Microsoft researchers published details of a ShinyHunters campaign active between mid-2025 and mid-2026 targeting customer SaaS-based applications, especially Salesforce instances, through voice phishing (vishing), supply chain compromise, and misconfigured guest access. The threat actors abused trusted OAuth relationships for unauthorized access, data exfiltration, and persistence.  ShinyHunters has demonstrated a consistent pattern of vishing-based social engineering, including against RH-ISAC Core Members.

Key Takeaways

  • This tradecraft highlights how a single entry point can rapidly expand to greater enterprise impacts, with activity observed across many tenants in industries including retail, education, and manufacturing.
  • Threat actors abused trusted OAuth relationships for unauthorized access, data exfiltration, and persistence.
  • Malicious activity often appeared indistinguishable from legitimate Salesforce usage because threat actors operated through trusted identities, approved OAuth applications, and authorized integrations.

Mitigation Recommendations

  • Monitor OAuth-connected applications, validate third-party integrations, review guest access configurations, and enable Salesforce event monitoring.
  • Organizations often create applications for temporary or one-time use that are rarely removed afterward, these unused apps continue to retain permissions. Security teams should identify applications inactive for 90 days or more and revoke access where appropriate to reduce the attack surface.
  • Implement risk-based prioritization of connected apps: each application should be assigned a numerical risk score based on usage patterns, permission sensitivity, and behavioral signals, enabling security teams to focus on applications requiring immediate attention and create custom policies based on risk thresholds to trigger alerts and notifications.
Additional recommendations:
  • Connect Salesforce instances to Microsoft Defender for Cloud Apps for improved visibility and threat detection.
  • Secure Experience Cloud Guest User access and proactively monitor Salesforce event logs.
  • Leverage Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents and hunt for threats.

TTPs (MITRE ATT&CK)

Initial Access – T1566 / T1598 (Phishing / Vishing)

Threat actors conducted vishing attacks impersonating IT support personnel, socially engineering employees into authorizing attacker-controlled connected apps, in several cases guiding users through the OAuth consent workflow to grant access to a malicious application disguised as a legitimate Salesforce Data Loader tool.

Supply Chain Compromise – T1195

Threat actors escalated into supply-chain-driven attacks targeting third-party SaaS vendors. In August 2025, compromised Salesloft Drift credentials enabled attackers to obtain connection secrets used by downstream applications. A subsequent November 2025 campaign targeted Gainsight-published applications, allowing persistent API access in multiple Salesforce customer instances.

Exploitation of Misconfigured Access – T1078 (Valid Accounts)

Threat actors leveraged unauthenticated access to Aura framework functionality and used GraphQL-based Aura requests to systematically query and retrieve data, taking advantage of misconfigured guest-user permissions and chaining Aura requests to extract significantly larger volumes of data than would typically be accessible.

Collection & Exfiltration – T1530 / T1213

Threat actors performed discovery, bulk data queries, and mass exfiltration of sensitive CRM records (including accounts, contacts, and service case data) without generating traditional sign-in anomalies.

Persistence – T1550.001 (Application Access Token)

After users granted consent, highly privileged OAuth applications enabled threat actors to perform API calls on behalf of the victim user, facilitating enumeration of Salesforce instances, persistent access to CRM data, and possible lateral movement into other SaaS platforms. Data was exfiltrated through sanctioned application access inherited from user privileges.

Detection Methods

Microsoft expanded Salesforce visibility in Defender for Cloud Apps through additional event telemetry, connected application attribution, and enhanced application permissions insights – helping security teams identify suspicious OAuth activity, investigate potentially compromised integrations, and better understand how access was obtained and used.

Key detection capabilities include:
  • Near-real-time visibility into Salesforce security and activity events; connected application attribution including OAuth scopes; expanded identity, session, and API activity context; and improved correlation within Microsoft Defender across identities, applications, and SaaS environments.
Advanced Hunting Queries are available for:

More Recent Blog Posts

Executive Summary On 02 July 2026, SOCRadar researchers linked the financially-motivated campaign dubbed “FortiBleed” to the Ransom and Lynx ransomware operations, marking the...

Executive Summary On 19 June 2026, the threat group Icarus claimed to have compromised and exfiltrated data from customers of Klue, specifically the...

Executive Summary A report published by The Hacker News on 17 June 2026 detailed a software supply chain attack impacting 144 npm packages...