Attackers aligned with the data-extortion group ShinyHunters have successfully breached corporate Salesforce environments over the past year by exploiting trusted connections rather than platform vulnerabilities. These intrusions, detailed in recent Microsoft research, highlight critical blind spots in how organizations monitor their cloud-based CRM systems, particularly concerning compromised OAuth configurations and legacy access methods. The findings underscore the growing sophistication of cyber threats targeting business-critical platforms like Salesforce.
Microsoft’s investigation, conducted in collaboration with Salesforce, mapped three distinct intrusion paths that attackers leveraged from mid-2025 to mid-2026. These methods bypassed traditional security controls by disguising malicious activity as legitimate use, exploiting the inherent trust granted to integrated applications and third-party vendors. The research aims to provide organizations with enhanced visibility and governance to counter these evolving threats.
Exploiting Trust: New Salesforce Attack Paths Revealed
The crux of these attacks lies in how attackers gain initial access and subsequently exfiltrate data from Salesforce. Unlike traditional exploits that target software flaws, these campaigns capitalize on established trust relationships. This includes tricking employees into authorizing malicious applications, stealing credentials from compromised vendors, or exploiting misconfigured public-facing portals. The challenge for security teams is that these actions often appear as routine operations within Salesforce’s extensive ecosystem.
Microsoft’s analysis identified three primary intrusion vectors: vishing calls designed to trick employees into approving malicious connected apps, the theft of OAuth tokens from compromised third-party vendors, and the exploitation of poorly secured guest access to Salesforce Experience Cloud sites. These varied techniques allowed attackers to target a broad range of industries, including retail, education, and manufacturing, demonstrating the widespread applicability of these infiltration methods.
The Vishing-Driven Approach
One of the initial and most concerning methods involved voice phishing, or vishing, which began in mid-2025. Attackers posed as IT support personnel, guiding employees through the Salesforce OAuth consent screen to authorize a malicious connected app. This app, disguised as a legitimate tool like Salesforce’s Data Loader, could then make API calls on behalf of the authorized user. This allowed attackers to enumerate Salesforce data, maintain persistent access to CRM records, and search for credentials to access other cloud platforms without needing to exploit any Salesforce vulnerabilities.
This specific campaign was also documented by Google’s Threat Intelligence Group (GTIG) and Mandiant, which tracked initial access under the identifier UNC6040 and subsequent extortion as UNC6240. Both groups claimed affiliation with ShinyHunters, applying pressure on victims. Google itself reported a breach of its corporate Salesforce instance in June 2025 due to this method, though they managed to cut off the attackers. High-profile companies like Chanel, Pandora, Adidas, and several LVMH brands were also reportedly targeted in this wave, highlighting the significant impact of this attack vector.
Stolen OAuth Tokens from Compromised Vendors
A more sophisticated attack path bypassed direct employee interaction by compromising third-party vendors that held legitimate OAuth access to their customers’ Salesforce organizations. By stealing these connection secrets or tokens, attackers could access and export data from multiple downstream Salesforce instances simultaneously. Because the traffic originated from an approved integration, it often bypassed standard sign-in alarms and blended seamlessly with normal automated processes.
Notable incidents include the August 2025 compromise of Salesloft’s Drift integration. Attackers stole OAuth and refresh tokens for the Drift AI chat integration, which then allowed them to target Salesforce customer environments. Google estimated that this single incident potentially exposed over 700 organizations, including major tech companies like Cloudflare and Zscaler. The root cause was traced back to unauthorized access to Salesloft’s GitHub account, which provided a pathway to steal tokens from Drift’s AWS environment. In November 2025, the Gainsight platform experienced a similar attack, with Salesforce intervening after detecting unusual API activity. GTIG attributed this campaign to ShinyHunters affiliates, affecting over 200 Salesforce instances. More recently, in June 2026, the Klue competitive intelligence platform was breached via a legacy credential left active, leading to the harvesting of customer OAuth tokens and subsequent access to Salesforce and Gong data.
Guest Access Exploitation
The third intrusion path involves exploiting misconfigured guest access to Salesforce Experience Cloud sites. Attackers targeted Aura endpoints, the framework behind these public-facing sites, and used misconfigured guest user permissions to access Aura functionality without proper authentication. By leveraging cursor-based pagination through the GraphQL Aura controller, attackers could retrieve data far exceeding the intended limits of the guest role, effectively extracting extensive information left exposed by weak access controls.
This threat vector highlights a critical oversight in managing public-facing Salesforce resources. The lack of robust authentication and authorization for guest users allowed attackers to bypass security measures, demonstrating that even seemingly minor configuration errors can lead to significant data breaches. The research emphasizes the need for stringent review and lockdown of guest user permissions on Experience Cloud sites.
Microsoft and Salesforce Enhance Salesforce Security Tools
In response to these findings, Microsoft has collaborated with Salesforce to introduce new detection and governance tooling. These enhancements are integrated into Microsoft Defender for Cloud Apps and aim to provide better visibility into the activity of connected applications. For organizations utilizing Salesforce Shield Event Monitoring, an upgraded connector now supports near real-time detection by onboarding the Real-Time Event Monitoring framework. This provides crucial context, tying activity directly to specific app identities, granted OAuth scopes, and session details.
Beyond detection, Microsoft has also rolled out posture and governance features for connected OAuth apps. These include identifying highly privileged apps with elevated scopes, surfacing unused applications that retain live permissions, and assigning a risk score to each app. This allows security teams to proactively address over-permissioned and forgotten integrations before they can be exploited. The ultimate goal is to shrink the OAuth attack surface and enhance overall Salesforce security.
Microsoft’s guidance for organizations recommends connecting Salesforce instances to Defender for Cloud Apps for enhanced telemetry, ensuring Salesforce event logs are enabled and actively monitored, and reinforcing the lockdown of Experience Cloud guest user access. The enduring advice is to maintain an inventory of connected applications, revoke unused ones, limit the privileges of active applications to the minimum necessary, and be prepared to rotate tokens promptly if suspicious activity is detected. The pervasive issue across these attack paths is that the identity controls built over the last decade primarily focus on human logins, often leaving the service accounts and OAuth applications that handle critical data operations in a less scrutinized state.
The Hacker News has reached out to Microsoft for further details on its attribution of the actors behind these campaigns and will update this story with any response.

