In response to the sophisticated ShinyHunters cybercrime campaign targeting OAuth integrations in Salesforce environments, Microsoft has upgraded its security tools to provide better visibility and control over third-party connected applications.

  • ShinyHunters exploited OAuth authorizations to access Salesforce data stealthily.
  • Microsoft improved telemetry and permission analysis in Defender for Cloud Apps.
  • Enhanced governance helps manage risks from third-party SaaS integrations.

What happened

The ShinyHunters threat group conducted a prolonged cyberattack campaign starting in August 2025, focusing on stealing Salesforce data by abusing OAuth-based third-party app integrations. Initially, the attackers used social engineering tactics such as pretending to be IT support to trick employees into authorizing a malicious Salesforce Data Loader application. This app granted access via official APIs under seemingly legitimate authentication, making detection challenging.

Over time, the attack evolved as ShinyHunters compromised SaaS providers that sold OAuth integrations with Salesforce. By hijacking credentials or tokens from providers like Salesloft’s Drift, Gainsight, and Klue, they gained broad access to downstream customer environments without interacting with each customer individually, potentially impacting more than 700 organizations.

Why it matters

This campaign highlights the risks posed by trusted OAuth connections in enterprise environments. Traditional security tools often cannot distinguish malicious activity when it occurs through officially authorized API calls, which attackers exploit to evade detection and maintain persistence. Microsoft’s acknowledgement of this threat underlines the need for improved telemetry and governance around connected applications.

By enhancing the Microsoft Defender for Cloud Apps platform with near-real-time detection, expanded permissions insights, and connected application attribution, organizations can better identify suspicious OAuth behaviors and mitigate risks posed by third-party SaaS integrations. This is critical for protecting sensitive data and limiting the potential impact of future attacks leveraging OAuth trust relationships.

What to watch next

Enterprises leveraging Salesforce and other platforms with OAuth-connected third-party apps should prioritize deploying Microsoft’s updated detection and governance capabilities as soon as possible. Monitoring for irregular OAuth activity and regularly reviewing connected app permissions and lifecycle will be key to mitigating risks.

Industry observers and security teams should also watch for broader adoption of similar OAuth transparency and control measures across other cloud providers and SaaS ecosystems. Given the prevalence of OAuth integrations, improvements in visibility and governance represent an essential line of defense against sophisticated supply chain and social engineering attacks.

Source assisted: This briefing began from a discovered source item from TechRadar. Open the original source.
How SignalDesk reports: feeds and outside sources are used for discovery. Public briefings are edited to add context, buyer relevance and attribution before they are published. Read the standards

Related briefings