Microsoft has uncovered significant vulnerabilities in Salesforce environments, exploited by the data-extortion group known as ShinyHunters. Over the past year, these attackers have infiltrated corporate systems without needing to exploit any inherent flaws in Salesforce itself. Instead, they leveraged existing trust relationships, particularly OAuth connections, to gain unauthorized access.
Three Identified Intrusion Techniques
The recent research, published by Microsoft, outlines three main techniques used by attackers, spanning from mid-2025 to mid-2026. These methods do not rely on exploiting traditional security gaps but rather take advantage of existing permissions and integrations that often go unnoticed in traditional security monitoring.
These attack paths include vishing, or voice-phishing, where employees are tricked into approving malicious apps; theft of OAuth tokens from software vendors, allowing attackers to impersonate trusted applications; and misconfigured guest access permissions on Salesforce sites, which can expose sensitive data without any credentials.
Vishing Calls Compromise Employee Trust
The first path exploited by ShinyHunters began with vishing attacks in mid-2025. Attackers posed as IT support staff, convincing employees to authorize a seemingly legitimate app that was actually under the control of the attackers. This method allowed them to access and manipulate Salesforce data as though they were legitimate users, without the need for malware or stolen credentials.
Google’s Threat Intelligence Group (GTIG) and Mandiant documented these activities, highlighting incidents that affected major corporations like Google, Chanel, and Pandora. The attacks led to significant data breaches, prompting security experts to advise companies to verify any suspicious calls and to implement robust identity checks.
Exploiting Trusted Vendor Relationships
The second vector bypasses employees altogether, targeting third-party vendors with existing OAuth access to Salesforce. Attackers have infiltrated these vendors, stealing connection secrets and tokens to access multiple Salesforce instances. This method was highlighted by incidents such as the Salesloft Drift breach, where stolen tokens were used to query Salesforce data from numerous organizations.
Microsoft’s report details how these incidents exposed data from over 700 organizations, including major players like Cloudflare and Zscaler. The attackers used sophisticated techniques to remain undetected, blending their activities with normal automated processes.
Misconfigured Guest Access Exposes Data
The third attack path involves exploiting misconfigured guest access settings on Salesforce Aura endpoints. These endpoints can be accessed without authentication if permissions are not correctly set, allowing attackers to extract large volumes of data beyond what is typically exposed to guest users.
To mitigate these threats, Microsoft and Salesforce have introduced new tools and governance features to better monitor and secure OAuth app activities. Enhanced detection capabilities and risk assessments aim to identify and eliminate over-permissioned and inactive integrations before they can be exploited.
Organizations are urged to implement strict security measures, including regular audits of connected applications, reducing permissions to the least necessary, and closely monitoring Salesforce event logs. These steps are essential to protect against the sophisticated tactics employed by groups like ShinyHunters.
As enterprises continue to rely on integrated cloud solutions, understanding and addressing these vulnerabilities is crucial in maintaining robust security postures against evolving cyber threats.
