Attackers whose methods line up with the data-extortion group ShinyHunters have spent the past year walking into corporate Salesforce environments without exploiting a single flaw in the platform.

The way in has been the trust the organization had already extended, usually through the OAuth connections that tie Salesforce to the apps and third-party vendors around it.

In research published July 13, Microsoft mapped the campaigns, which ran from mid-2025 into mid-2026, to three distinct techniques. It also worked with Salesforce to roll out new detection and governance tooling aimed at addressing the activity authentication logs miss.

That is what makes this hard to catch. When the access comes from a real user who approved a connected app, or from an integration the company already trusts, the traffic reads as ordinary use, and sign-in and authentication monitoring barely registers it.

What matters is what the app or account does once it is in, and that is exactly what most Salesforce logging was not built to show.

Microsoft groups the activity into three intrusion paths:

  • vishing calls that trick employees into approving a malicious connected app,
  • stolen OAuth tokens from compromised software vendors, and
  • misconfigured guest access to Salesforce sites.

Each maps onto a Salesforce incident from the past year, and Microsoft says it saw the activity across tenants in industries including retail, education, and manufacturing.

The phone call

The first path is the one that kicked off the whole run. Starting in mid-2025, the actors placed voice-phishing (vishing) calls posing as IT support and talked employees through Salesforce’s OAuth consent screen, getting them to authorize an attacker-controlled connected app dressed up as Salesforce’s own Data Loader tool.

Once consent was granted, the app could make API calls as that user, letting the attackers enumerate the org’s Salesforce data, hold persistent access to CRM records, and hunt for credentials that might open the door to other SaaS platforms.

No malware, no stolen password replay. Just a phone call and a consent click.

This is the campaign Google’s Threat Intelligence Group (GTIG) and Mandiant documented in mid-2025, tracking the initial access as UNC6040 and the follow-on extortion as UNC6240, both of which kept claiming to be ShinyHunters to lean harder on victims.

Google confirmed one of its own corporate Salesforce instances was hit in June 2025, with the attackers taking largely public business contact data before Google cut them off. The same wave was publicly linked to breaches at Chanel and Pandora, with Adidas, Qantas, Allianz Life, and several LVMH brands also named as targets.

Mandiant’s advice to defenders was blunt: these calls exploit a help desk’s instinct to be helpful, standard identity checks often do not apply, and the safe move is to hang up and call back on a known-good channel.

Stolen tokens from trusted vendors

The second path skips the…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 14, 2026