Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Microsoft Identifies Three Salesforce Threat Vectors

Microsoft Identifies Three Salesforce Threat Vectors

Posted on July 14, 2026 By CWS

Microsoft has uncovered significant vulnerabilities in Salesforce environments, exploited by the data-extortion group known as ShinyHunters. Over the past year, these attackers have infiltrated corporate systems without needing to exploit any inherent flaws in Salesforce itself. Instead, they leveraged existing trust relationships, particularly OAuth connections, to gain unauthorized access.

Three Identified Intrusion Techniques

The recent research, published by Microsoft, outlines three main techniques used by attackers, spanning from mid-2025 to mid-2026. These methods do not rely on exploiting traditional security gaps but rather take advantage of existing permissions and integrations that often go unnoticed in traditional security monitoring.

These attack paths include vishing, or voice-phishing, where employees are tricked into approving malicious apps; theft of OAuth tokens from software vendors, allowing attackers to impersonate trusted applications; and misconfigured guest access permissions on Salesforce sites, which can expose sensitive data without any credentials.

Vishing Calls Compromise Employee Trust

The first path exploited by ShinyHunters began with vishing attacks in mid-2025. Attackers posed as IT support staff, convincing employees to authorize a seemingly legitimate app that was actually under the control of the attackers. This method allowed them to access and manipulate Salesforce data as though they were legitimate users, without the need for malware or stolen credentials.

Google’s Threat Intelligence Group (GTIG) and Mandiant documented these activities, highlighting incidents that affected major corporations like Google, Chanel, and Pandora. The attacks led to significant data breaches, prompting security experts to advise companies to verify any suspicious calls and to implement robust identity checks.

Exploiting Trusted Vendor Relationships

The second vector bypasses employees altogether, targeting third-party vendors with existing OAuth access to Salesforce. Attackers have infiltrated these vendors, stealing connection secrets and tokens to access multiple Salesforce instances. This method was highlighted by incidents such as the Salesloft Drift breach, where stolen tokens were used to query Salesforce data from numerous organizations.

Microsoft’s report details how these incidents exposed data from over 700 organizations, including major players like Cloudflare and Zscaler. The attackers used sophisticated techniques to remain undetected, blending their activities with normal automated processes.

Misconfigured Guest Access Exposes Data

The third attack path involves exploiting misconfigured guest access settings on Salesforce Aura endpoints. These endpoints can be accessed without authentication if permissions are not correctly set, allowing attackers to extract large volumes of data beyond what is typically exposed to guest users.

To mitigate these threats, Microsoft and Salesforce have introduced new tools and governance features to better monitor and secure OAuth app activities. Enhanced detection capabilities and risk assessments aim to identify and eliminate over-permissioned and inactive integrations before they can be exploited.

Organizations are urged to implement strict security measures, including regular audits of connected applications, reducing permissions to the least necessary, and closely monitoring Salesforce event logs. These steps are essential to protect against the sophisticated tactics employed by groups like ShinyHunters.

As enterprises continue to rely on integrated cloud solutions, understanding and addressing these vulnerabilities is crucial in maintaining robust security postures against evolving cyber threats.

The Hacker News Tags:API security, cloud security, Cybersecurity, data breach, data security, Microsoft, OAuth, OAuth tokens, Salesforce, Salesforce governance, Salesforce Shield, Salesforce vulnerabilities, ShinyHunters, ShinyHunters attack, Vishing

Post navigation

Previous Post: Telegram’s t.me Domain Suspension Disrupts Global Links
Next Post: Pentagon Reevaluates Cybersecurity Certification Strategy

Related Posts

Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users The Hacker News
Critical Linux Flaw GhostLock Allows Root Access Critical Linux Flaw GhostLock Allows Root Access The Hacker News
SideWinder Adopts New ClickOnce-Based Attack Chain Targeting South Asian Diplomats SideWinder Adopts New ClickOnce-Based Attack Chain Targeting South Asian Diplomats The Hacker News
New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale The Hacker News
Compromised Nx Console Targets VS Code with Credential Theft Compromised Nx Console Targets VS Code with Credential Theft The Hacker News
Critical BeyondTrust Vulnerability Exploited by Hackers Critical BeyondTrust Vulnerability Exploited by Hackers The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • U.S. Targets VPN and Cryptor Seller for Ransomware Aid
  • Pentagon Reevaluates Cybersecurity Certification Strategy
  • Microsoft Identifies Three Salesforce Threat Vectors
  • Telegram’s t.me Domain Suspension Disrupts Global Links
  • AI ‘Intelligent Worm’ Threatens Cybersecurity Evolution

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • U.S. Targets VPN and Cryptor Seller for Ransomware Aid
  • Pentagon Reevaluates Cybersecurity Certification Strategy
  • Microsoft Identifies Three Salesforce Threat Vectors
  • Telegram’s t.me Domain Suspension Disrupts Global Links
  • AI ‘Intelligent Worm’ Threatens Cybersecurity Evolution

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark