“A single point of entry can quickly scale to larger enterprise impacts”: Microsoft introduces changes to tackle ShinyHunters


  • ShinyHunters abused the OAuth trust of Salesforce by tricking users and later compromising SaaS integrations and stealing tokens to gain access to hundreds of customer environments
  • Reports suggested up to 700 casualties; Attackers exfiltrated data via legitimate APIs, making the activity appear normal and persistent
  • Microsoft responded with Defender for Cloud Apps upgrades, adding richer telemetry, near-real-time logging, and stronger controls over OAuth-connected applications

The ShinyHunters cybercrime group was so creative in breaking into corporate Salesforce environments that they forced Microsoft’s hand, prompting the company to introduce new security upgrades just to counter the attacks.

Microsoft has revealed that it is focusing on improving visibility into OAuth-connected applications and strengthening controls over third-party integrations in Microsoft Defender for Cloud Apps. The changes fall into two main categories: Improved detection and investigation, and new postures and control abilities.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top