Defending SaaS-based applications against ShinyHunters OAuth abuse
ID: d3225983-49b8-5458-9e55-3ce1faa7b890
STIX ID: report--d3225983-49b8-5458-9e55-3ce1faa7b890
Feed Name: DataBreaches.Net
Microsoft observed campaigns between mid-2025 and mid-2026 where actors leveraging ShinyHunters-like tradecraft abused OAuth consent (including vishing), supply-chain integrations (e.g., Salesloft, Gainsight), and misconfigured guest access to gain persistent access, enumerate CRM records, and exfiltrate data at scale across multiple industries; Microsoft worked with Salesforce to improve telemetry and detections and noted the activity was abuse of trusted relationships rather than a Salesforce vulnerability.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
