THREAT INTEL

A Year of ShinyHunters

How Trust, Not a Bug, Emptied Corporate Salesforce Orgs. Microsoft mapped a year of ShinyHunters-aligned Salesforce intrusions to three techniques, none of which exploited a platform flaw.

Matt Lucas  |  July 15, 2026  |  6 min
3
attack paths mapped
700+
orgs exposed by Drift tokens
200+
instances hit via Gainsight
~1,000
orgs claimed, unconfirmed
TL;DR
  • What: Microsoft mapped a year of ShinyHunters-aligned Salesforce intrusions to three techniques: vishing-approved malicious connected apps, stolen OAuth tokens from compromised vendors, and misconfigured guest access to Aura endpoints.
  • Impact: Attackers enumerated and exported CRM data across retail, education, and manufacturing tenants; the Salesloft Drift token theft alone potentially exposed more than 700 organizations including Cloudflare, Zscaler, and Palo Alto Networks.
  • Fix / mitigation: Microsoft worked with Salesforce to roll out new detection and governance tooling for the post-authentication activity that sign-in logs miss; defenders should audit connected apps, guest permissions, and vendor OAuth grants.
  • Who's at risk: Any organization running Salesforce, especially those with third-party OAuth integrations and Experience Cloud sites, is at risk.

For a year, attackers whose tradecraft lines up with the data-extortion crew ShinyHunters walked into corporate Salesforce environments without exploiting a single platform flaw. There was no CVE to patch, no zero-day to race. The door was the trust the organizations had already extended, usually the OAuth connections wiring Salesforce to the apps and vendors around it. In research published July 13, Microsoft mapped these campaigns, running from mid-2025 into mid-2026, to three distinct techniques and worked with Salesforce to ship detection and governance tooling for the activity that authentication logs simply do not see.

That blind spot is the whole story. When access comes from a real user who approved a connected app, or from an integration the company already trusts, the traffic reads as ordinary use. Sign-in and authentication monitoring barely register it. What matters is what the app or account does once it is inside, and that is exactly what most Salesforce logging was never built to show. Microsoft saw the activity across tenants in retail, education, and manufacturing.

Path one: a phone call and a consent click

The run started with the phone. Beginning in mid-2025, the actors placed voice-phishing calls posing as IT support and walked employees through Salesforce's OAuth consent screen, getting them to authorize an attacker-controlled connected app dressed up as Salesforce's own Data Loader tool. Once consent was granted, the app made API calls as that user, enumerated the org's data, held persistent access to CRM records, and hunted for credentials into other SaaS platforms. No malware. No stolen password replay. Just a call and a click.

This is the campaign Google's Threat Intelligence Group and Mandiant documented in mid-2025, tracking initial access as UNC6040 and the follow-on extortion as UNC6240, both claiming to be ShinyHunters to lean harder on victims. Google confirmed one of its own corporate Salesforce instances was hit in June 2025, with attackers taking largely public business contact data before Google cut them off. The same wave was publicly linked to Chanel and Pandora, with Adidas, Qantas, Allianz Life, and several LVMH brands also named as targets.

Path two: stolen tokens from vendors you already trust

The second path skips the employee entirely. Instead of phishing a user, attackers compromise a third-party vendor whose app already holds OAuth access to its customers' Salesforce orgs, steal the connection secrets or tokens, and query and export data across many downstream instances at once. Because the traffic comes from an approved integration, it triggers no sign-in alarms and blends into normal automation.

The August 2025 Salesloft Drift compromise is the clearest example. Attackers stole OAuth and refresh tokens tied to the Drift AI chat integration and turned them against Salesforce customer environments. Google estimated the theft potentially exposed more than 700 organizations, among them Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, PagerDuty, and Tanium. Google tracks the cluster as UNC6395; Cloudflare's Cloudforce One calls it GRUB1. Salesloft later traced the root cause to attacker access to its GitHub account as early as March 2025, used to reach Drift's AWS environment and harvest the tokens. The operators ran SOQL queries to sift support cases for AWS keys, Snowflake tokens, and passwords, then deleted their query jobs to slow investigators.

The November 2025 Gainsight incident ran the same play. Salesforce pulled Gainsight-published apps after spotting unusual API activity, and GTIG tied the campaign to ShinyHunters affiliates across more than 200 Salesforce instances. The people behind the ShinyHunters name claimed Salesloft and Gainsight together reached close to 1,000 organizations, a figure that has not been independently confirmed. The most recent case, June 2026, is the Klue compromise: attackers got in through a long-disused but still-active legacy credential from a never-deployed test integration, pushed a code update that harvested customers' OAuth tokens, and reached Salesforce and Gong data belonging to Klue customers including Huntress and Recorded Future. Microsoft tracks the Klue actor as Storm-3138.

The naming is deliberately blurry

Most of the industry, Huntress and Datadog included, ties the Klue extortion to a group calling itself Icarus, while a Telegram account claiming to be ShinyHunters also took credit. These identities overlap and get claimed opportunistically across this entire set of campaigns. Attribution labels are not a reliable basis for scoping your exposure; the OAuth grants are.

Path three: guest access left wide open

The third path needs no credentials at all. Microsoft saw a rise in suspicious guest-user activity against Salesforce Aura endpoints, the framework behind Experience Cloud sites. Where guest-user permissions were misconfigured, actors reached Aura functionality without authenticating. Calling the GraphQL Aura controller, they used cursor-based pagination to pull records past the standard 2,000-record query limit, walking off with far more than the guest role was meant to expose.

The RedEye take

Strip away the ShinyHunters branding and this is one lesson repeated three ways: SaaS trust is transitive, and almost nobody is monitoring it. Every organization on this victim list did the reasonable thing. They connected Drift, Gainsight, or Klue because those tools earned a place in the workflow. The attackers did not break Salesforce; they inherited access their victims had already signed off on. That is why sign-in monitoring failed everyone here. Authentication tells you a session is legitimate. It says nothing about whether that legitimate session is quietly running SOQL queries for AWS keys and deleting its own job history on the way out. Microsoft and Salesforce shipping post-authentication tooling is the right response, and the fact that it took a year of breaches to force it is the indictment. If your SaaS security program still equates 'authenticated' with 'safe,' you are defending the door these actors never touched.

What defenders should learn

Source: The Hacker News, 'Microsoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHunters Activity,' Swati Khandelwal, July 14, 2026.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us