Microsoft researchers have identified three attack pathways used by threat actors aligned with ShinyHunters to breach corporate Salesforce environments over the past year. Notably, these intrusions required no exploitation of Salesforce vulnerabilities.
The attackers leveraged OAuth connections between Salesforce and integrated third-party applications and vendors. OAuth tokens function as trust bridges between platforms. Threat actors compromised or abused these legitimately-established connections to gain unauthorized access to Salesforce instances. This approach allowed them to operate within trusted channels, making detection substantially harder than traditional exploitation-based attacks.
ShinyHunters, a data-extortion group active since at least 2020, has conducted numerous breaches targeting retailers, hospitality firms, and technology companies. The group typically extracts customer databases and personally identifiable information before threatening public disclosure to extort ransom payments. Their shift toward OAuth abuse reflects an evolving attack strategy focused on insider trust mechanisms rather than technical vulnerabilities.
The three identified attack paths exploit different vectors within the OAuth ecosystem. Microsoft did not publicly disclose complete technical details to prevent premature weaponization, but researchers emphasized that defenders must audit OAuth permissions and monitor token usage across their Salesforce deployments.
Organizations using Salesforce face elevated risk if they have connected multiple third-party applications without proper access governance. Each integrated vendor represents a potential pivot point for attackers. A compromise of a lower-security third-party application grants pathway access to Salesforce, where business-critical customer data typically resides.
Defensive measures include conducting OAuth permission audits, implementing conditional access policies, monitoring unusual token activity, and reducing the number of unnecessary integrations. Microsoft recommends monitoring for OAuth token anomalies such as unusual geographic access patterns or tokens used outside normal business hours. Additionally, organizations should enforce strong authentication on all vendor accounts that connect to Salesforce.
The ShinyHunters findings
