Security

Salesforce OAuth Abuse: Microsoft Guidance on ShinyHunters

3 min read

Summary

Microsoft detailed how threat activity associated with ShinyHunters abused trusted OAuth relationships in Salesforce to gain persistent access, exfiltrate CRM data, and evade traditional sign-in detections. The company also announced improved Salesforce telemetry and near-real-time detection in Defender for Cloud Apps, giving security teams better visibility into connected apps, OAuth scopes, and suspicious SaaS activity.

Need help with Security?Talk to an Expert

Introduction

Microsoft has published new guidance on a growing SaaS threat pattern: attackers abusing trusted OAuth connections instead of stealing passwords or deploying malware. For organizations using Salesforce and other integrated SaaS platforms, this matters because malicious activity can look like normal application behavior and bypass traditional authentication alerts.

What Microsoft observed

Between mid-2025 and mid-2026, Microsoft tracked campaigns with tradecraft overlapping with ShinyHunters. The activity targeted Salesforce environments and relied on trusted access paths to query and exfiltrate data at scale.

The three main intrusion paths

  • Vishing-led OAuth consent abuse: Attackers impersonated IT support and convinced users to approve malicious connected apps, sometimes disguised as Salesforce Data Loader tools.
  • SaaS supply chain compromise: Threat actors abused trusted integrations and compromised vendor workflows involving tools such as Salesloft, Gainsight, and later credentials linked to the Klue incident.
  • Misconfigured guest access: Attackers used overly permissive guest-user access and Salesforce Aura/GraphQL requests to retrieve more data than intended.

What’s new from Microsoft

Microsoft said it worked with Salesforce to improve telemetry available through Microsoft Defender for Cloud Apps.

Key enhancements include:

  • Near-real-time visibility into Salesforce security and activity events
  • Connected application attribution to identify which OAuth app performed actions
  • Expanded OAuth permission and scope insights
  • Improved investigation context across identity, session, and API activity
  • Better correlation in Microsoft Defender across identities, apps, and SaaS environments

For customers using Salesforce Shield: Event Monitoring, the updated Salesforce connector now supports the Real-Time Event Monitoring (RTEM) framework to speed detection and investigation.

Impact on IT and security teams

This research reinforces that SaaS risk is no longer limited to user credentials. If an attacker gains access through a trusted OAuth app or a third-party integration, they may inherit legitimate permissions and operate quietly for long periods.

For administrators, the biggest challenge is visibility. Traditional sign-in anomaly detection may miss this type of attack because the access occurs through approved apps, valid tokens, or legitimate integrations.

Admins should review their SaaS governance and monitoring controls now:

  • Audit OAuth-connected applications and remove unused or high-risk apps
  • Validate third-party Salesforce integrations and stored connection secrets
  • Review guest-user permissions and public access configurations
  • Enable Salesforce Event Monitoring where available
  • Use Defender for Cloud Apps to investigate app activity, OAuth scopes, and suspicious API behavior
  • Train users to recognize vishing and fraudulent consent prompts

The key takeaway is clear: trusted SaaS relationships need the same scrutiny as user identities. Stronger OAuth governance and better telemetry are now essential parts of cloud security operations.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

SalesforceOAuthDefender for Cloud AppsSaaS securityShinyHunters

Related Posts

Security

Microsoft Entra ID Passkeys Default Rollout Dates

Microsoft will make passkeys the default authentication experience in Entra ID starting September 1, 2026, automatically prompting users currently using SMS or voice MFA to register a passkey. The change matters because Microsoft-provided SMS and voice authentication will be retired on February 1, 2027, pushing organizations toward phishing-resistant authentication and requiring admins to plan migrations now.

Security

Microsoft Secure Future Initiative July 2026 Update

Microsoft’s July 2026 Secure Future Initiative progress report highlights major security gains across identity, cloud resource isolation, vulnerability remediation, and AI-driven defense. The update matters to IT and security teams because it pairs measurable hardening progress with practical guidance on phishing-resistant MFA, secure defaults, composite attack paths, and post-quantum readiness.

Security

GigaWiper Malware: Microsoft Details Destructive Backdoor

Microsoft Threat Intelligence has published a deep analysis of GigaWiper, a Golang-based backdoor that combines command-and-control features with multiple destructive payloads, including disk wiping, fake ransomware, and system sabotage. The research matters because it shows attackers consolidating several malware families into a single modular implant, increasing flexibility while reducing deployment footprint.

Security

Microsoft SFI AI Hardens Cloud Security at Scale

Microsoft detailed an internal multi-agent AI system built under its Secure Future Initiative (SFI) to proactively evaluate and harden live cloud services. The approach speeds up deep security analysis from weeks to hours by correlating code, identity, network, configuration, and runtime signals to uncover composite risks that single-tool reviews can miss.

Security

Cloud Security Posture Management Trends for 2026

Frost & Sullivan’s 2025 Frost Radar shows cloud security posture management is shifting from periodic compliance checks to continuous, risk-based governance within CNAPP platforms. For IT and security teams, the key takeaway is clear: prioritize tools that unify posture, identity, workload, and data signals to reduce risk faster across multicloud environments.

Security

Microsoft CSP Security: New Partner Ecosystem Protections

Microsoft outlined how it is strengthening security across its Cloud Solution Provider ecosystem to reduce partner-led attacks on customer environments. The update focuses on tighter partner vetting, mandatory tenant security requirements, least-privilege access through GDAP, and stronger monitoring and response capabilities.