logo

Defending SaaS-based applications against ShinyHunters OAuth abuse

ID: d3225983-49b8-5458-9e55-3ce1faa7b890

STIX ID: report--d3225983-49b8-5458-9e55-3ce1faa7b890

Feed Name: DataBreaches.Net

Threat Score
78/100

Date Published: 2026-07-14

Date Updated: 2026-07-15

Author: Dissent

...
...

Microsoft observed campaigns between mid-2025 and mid-2026 where actors leveraging ShinyHunters-like tradecraft abused OAuth consent (including vishing), supply-chain integrations (e.g., Salesloft, Gainsight), and misconfigured guest access to gain persistent access, enumerate CRM records, and exfiltrate data at scale across multiple industries; Microsoft worked with Salesforce to improve telemetry and detections and noted the activity was abuse of trusted relationships rather than a Salesforce vulnerability.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.