- ShinyHunters abused the OAuth trust of Salesforce by tricking users and later compromising SaaS integrations and stealing tokens to gain access to hundreds of customer environments
- Reports suggested up to 700 casualties; Attackers exfiltrated data via legitimate APIs, making the activity appear normal and persistent
- Microsoft responded with Defender for Cloud Apps upgrades, adding richer telemetry, near-real-time logging, and stronger controls over OAuth-connected applications
The ShinyHunters cybercrime group was so creative in breaking into corporate Salesforce environments that they forced Microsoft’s hand, prompting the company to introduce new security upgrades just to counter the attacks.
Microsoft has revealed that it is focusing on improving visibility into OAuth-connected applications and strengthening controls over third-party integrations in Microsoft Defender for Cloud Apps. The changes fall into two main categories: Improved detection and investigation, and new postures and control abilities.
That makes sense, as some reports claimed as many as 700 casualties for the year-long campaign.
Changes and improvements
But first, a little context: In August 2025, it was reported that ShinyHunters employees called their targets on the phone, claiming to be IT support, and convinced them to approve a seemingly legitimate Salesforce Data Loader application. This app was actually controlled by the attackers and requested OAuth permissions which allowed them to access Salesforce data through official APIs.
Since everything happened through legitimate authentication and API calls, the activity looked like normal user behavior.
In the following months, the campaign developed. Instead of tricking individual employees, ShinyHunters compromised third-party SaaS providers that integrated with Salesforce, including Salesloft’s Drift integration, Gainsight, and later Klue.
By stealing OAuth tokens or integration secrets from these vendors, they gained access to hundreds of downstream customer Salesforce environments without interacting with each customer individually.
At one point, Google told reporters it was aware of more than 700 potentially affected organizations.
“Microsoft consulted with Salesforce to improve the granularity of telemetry for Defender for Cloud Apps with near-real-time detection that offers connected application attribution and extended application permission insight,” the company said in a new report. “This activity was not the result of a vulnerability inherent to Salesforce. Rather, the threat actors abused trusted OAuth relationships for unauthorized access, data exfiltration, and persistence.”
In other words, Microsoft enabled greater visibility into OAuth-connected applications and their activity, enabled better detection of suspicious API and OAuth behavior through richer telemetry and correlation, and now provides stronger governance of connected apps through permission analysis, risk scoring, and lifecycle management.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



