- ShinyHunters abused OAuth trust in Salesforce by deceiving users and then compromising SaaS integrations, stealing tokens to access hundreds of customer environments.
- Reports suggest up to 700 victims; attackers exfiltrated data through legitimate APIs, making activity appear normal and persistent
- Microsoft responded with upgrades to Defender for Cloud Apps, adding richer telemetry, near real-time detection, and stronger governance over OAuth connected apps.
Cybercrime group ShinyHunters was so creative in breaking into companies’ Salesforce environments that it forced Microsoft’s hand, forcing the company to introduce new security upgrades just to deal with the attacks.
Microsoft revealed that it is focused on improving visibility of OAuth-connected applications and strengthening governance of third-party integrations in Microsoft Defender for Cloud Applications. The changes fall into two main categories: improved detection and investigation, and new posture and governance capabilities.
This makes sense, given that some reports claim 700 casualties during this year-long campaign.
Changes and Improvements
But first, some context: In August 2025, it was reported that ShinyHunters agents were calling their targets by phone, pretending to be IT support, and convincing them to authorize a seemingly legitimate Salesforce Data Loader application. This application was actually controlled by the attackers and requested OAuth permissions that allowed them to access Salesforce data through official APIs.
Since everything happened via legitimate authentication and API calls, the activity looked like normal user behavior.
In the following months, the campaign evolved. Instead of deceiving individual employees, ShinyHunters compromised third-party SaaS providers integrated with Salesforce, including Salesloft’s Drift integration, Gainsight, and later Klue.
By stealing OAuth tokens or integration secrets from these vendors, they accessed hundreds of downstream customer Salesforce environments without interacting with each customer individually.
At one point, Google told reporters it was aware of more than 700 potentially affected organizations.
“Microsoft consulted with Salesforce to improve the granularity of telemetry for Defender for Cloud Apps with near real-time detection, providing attribution of connected apps and expanded insights into app permissions,” the company said in a new report. “This activity is not the result of an inherent vulnerability in Salesforce. Rather, the threat actors abused trusted OAuth relationships to gain unauthorized access, data exfiltration, and persistence.”
In other words, Microsoft has enabled greater visibility into OAuth connected applications and their activity, enabled better detection of suspicious API and OAuth behavior through richer telemetry and correlation, and now provides stronger governance of connected applications through permissions analysis, risk assessment, and lifecycle management.

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




