logo

Detecting the Klue supply chain attack in Salesforce instances

ID: 8c5b7fbf-20da-5c84-a471-cf8fe4656431

STIX ID: report--8c5b7fbf-20da-5c84-a471-cf8fe4656431

Feed Name: Datadog Security Labs

Threat Score
75/100

Date Published: 2026-06-22

Date Updated: 2026-06-22

...
...

On June 11–13, 2026, a threat actor calling itself "Icarus" exploited a dormant OAuth credential in Klue's Battlecards integration to harvest Salesforce and Gong tokens, run automated REST API queries across customer orgs to exfiltrate CRM data (contacts, opportunities, quotes, communications), and later initiate extortion; the report provides a timeline, detection queries and log fields for Salesforce/Datadog, and confirmed IOCs (four IPs and three user‑agent strings).

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.