Salesforce OAuth Abuse: Microsoft Guidance on ShinyHunters
Summary
Microsoft detailed how threat activity associated with ShinyHunters abused trusted OAuth relationships in Salesforce to gain persistent access, exfiltrate CRM data, and evade traditional sign-in detections. The company also announced improved Salesforce telemetry and near-real-time detection in Defender for Cloud Apps, giving security teams better visibility into connected apps, OAuth scopes, and suspicious SaaS activity.
Introduction
Microsoft has published new guidance on a growing SaaS threat pattern: attackers abusing trusted OAuth connections instead of stealing passwords or deploying malware. For organizations using Salesforce and other integrated SaaS platforms, this matters because malicious activity can look like normal application behavior and bypass traditional authentication alerts.
What Microsoft observed
Between mid-2025 and mid-2026, Microsoft tracked campaigns with tradecraft overlapping with ShinyHunters. The activity targeted Salesforce environments and relied on trusted access paths to query and exfiltrate data at scale.
The three main intrusion paths
- Vishing-led OAuth consent abuse: Attackers impersonated IT support and convinced users to approve malicious connected apps, sometimes disguised as Salesforce Data Loader tools.
- SaaS supply chain compromise: Threat actors abused trusted integrations and compromised vendor workflows involving tools such as Salesloft, Gainsight, and later credentials linked to the Klue incident.
- Misconfigured guest access: Attackers used overly permissive guest-user access and Salesforce Aura/GraphQL requests to retrieve more data than intended.
What’s new from Microsoft
Microsoft said it worked with Salesforce to improve telemetry available through Microsoft Defender for Cloud Apps.
Key enhancements include:
- Near-real-time visibility into Salesforce security and activity events
- Connected application attribution to identify which OAuth app performed actions
- Expanded OAuth permission and scope insights
- Improved investigation context across identity, session, and API activity
- Better correlation in Microsoft Defender across identities, apps, and SaaS environments
For customers using Salesforce Shield: Event Monitoring, the updated Salesforce connector now supports the Real-Time Event Monitoring (RTEM) framework to speed detection and investigation.
Impact on IT and security teams
This research reinforces that SaaS risk is no longer limited to user credentials. If an attacker gains access through a trusted OAuth app or a third-party integration, they may inherit legitimate permissions and operate quietly for long periods.
For administrators, the biggest challenge is visibility. Traditional sign-in anomaly detection may miss this type of attack because the access occurs through approved apps, valid tokens, or legitimate integrations.
Recommended next steps
Admins should review their SaaS governance and monitoring controls now:
- Audit OAuth-connected applications and remove unused or high-risk apps
- Validate third-party Salesforce integrations and stored connection secrets
- Review guest-user permissions and public access configurations
- Enable Salesforce Event Monitoring where available
- Use Defender for Cloud Apps to investigate app activity, OAuth scopes, and suspicious API behavior
- Train users to recognize vishing and fraudulent consent prompts
The key takeaway is clear: trusted SaaS relationships need the same scrutiny as user identities. Stronger OAuth governance and better telemetry are now essential parts of cloud security operations.
Need help with Security?
Our experts can help you implement and optimize your Microsoft solutions.
Talk to an ExpertStay updated on Microsoft technologies