{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/recorded-future/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Klue (Integration Layer)","Salesforce (Integration Feature)"],"_cs_severities":["high"],"_cs_tags":["data-breach","supply-chain","cloud-security","saas-security","oauth"],"_cs_type":"advisory","_cs_vendors":["Klue","Recorded Future","Salesforce"],"content_html":"\u003cp\u003eOn June 12, 2026, a third-party marketing vendor, Klue, experienced unauthorized access to its integration layer, which is designed to connect Klue with other marketing and sales SaaS platforms, including Salesforce. This incident led to the compromise of an OAuth token associated with the Klue-Salesforce integration, granting an unauthorized entity access to a portion of Recorded Future's Salesforce account. Recorded Future's CSIRT was notified on June 13, 2026, and their subsequent investigation revealed that specific business data fields, such as customer contact names, email addresses, and potentially business contract information, stored within their Salesforce database were accessed. Recorded Future concluded they were accidentally affected due to the compromised integration, not specifically targeted, and confirmed no access or compromise of their core systems, internal databases, or customer platform data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthorized entity gains initial access to Klue's integration layer, which facilitates connections between Klue and other SaaS platforms.\u003c/li\u003e\n\u003cli\u003eThe unauthorized entity compromises an OAuth token used to establish and maintain the integration between Klue and Salesforce.\u003c/li\u003e\n\u003cli\u003eThe compromised OAuth token is subsequently leveraged to gain unauthorized access to a specific portion of Recorded Future's Salesforce account.\u003c/li\u003e\n\u003cli\u003eAttackers navigate and access business data fields stored within the Salesforce database.\u003c/li\u003e\n\u003cli\u003eSpecific customer contact names and email addresses are identified and accessed.\u003c/li\u003e\n\u003cli\u003ePotentially, business contract information stored in the Salesforce account is also accessed by the attackers.\u003c/li\u003e\n\u003cli\u003eThe accessed sensitive customer and business data is likely exfiltrated from the Salesforce environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe security incident resulted in the unauthorized access to and potential exfiltration of sensitive business data from Recorded Future's Salesforce account. This data included customer contact names, email addresses, and potentially specific business contract information. While Recorded Future's core platforms, intelligence graph, and other internal infrastructure were not affected, the incident exposed a subset of their customer's contact information. This type of data exposure can lead to increased risks of targeted phishing campaigns, business email compromise (BEC) attacks, and other forms of social engineering against the affected individuals and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement robust logging and monitoring for Salesforce activities to detect unauthorized access attempts or unusual data access patterns, given the compromise of a Salesforce account in this incident.\u003c/li\u003e\n\u003cli\u003eRegularly audit and revoke OAuth tokens granted to third-party applications connecting to critical SaaS platforms like Salesforce, as a compromised OAuth token was the vector for unauthorized access in this event.\u003c/li\u003e\n\u003cli\u003eReview third-party application integrations with Salesforce and other critical SaaS platforms to minimize the attack surface, considering Klue's role as a compromised third-party vendor in this incident.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T04:23:33Z","date_published":"2026-07-14T04:23:33Z","id":"https://feed.craftedsignal.io/briefs/2026-07-klue-security-incident/","summary":"A third-party marketing vendor, Klue, experienced unauthorized access to its integration layer, which connects to other SaaS platforms like Salesforce, leading to the compromise of an OAuth token and subsequent unauthorized access to Recorded Future's Salesforce account, where business data fields including customer contact names, email addresses, and potentially business contract information were accessed.","title":"Klue Security Incident Leads to Recorded Future Salesforce Data Compromise","url":"https://feed.craftedsignal.io/briefs/2026-07-klue-security-incident/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:-:*:*:*","cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*","cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","cpe:2.3:a:erlang:erlang\\/ssl:*:*:*:*:*:*:*:*","cpe:2.3:a:erlang:erlang\\/ssh:*:*:*:*:*:*:*:*","cpe:2.3:a:mistune_project:mistune:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-58525"},{"cvss":7.6,"id":"CVE-2026-57985"},{"cvss":6.5,"id":"CVE-2026-57987"},{"cvss":7.1,"id":"CVE-2026-57988"},{"cvss":7.4,"id":"CVE-2026-57993"},{"cvss":8.1,"id":"CVE-2026-58283"},{"cvss":7.1,"id":"CVE-2026-57977"},{"cvss":7.5,"id":"CVE-2026-57986"},{"cvss":7.2,"id":"CVE-2026-58298"},{"cvss":6.2,"id":"CVE-2026-58300"},{"cvss":7.4,"id":"CVE-2026-57991"},{"cvss":8.3,"id":"CVE-2026-58284"},{"cvss":8.3,"id":"CVE-2026-58295"},{"cvss":7.5,"id":"CVE-2026-55952"},{"cvss":7.5,"id":"CVE-2026-58292"},{"cvss":7.5,"id":"CVE-2026-58294"},{"cvss":7.5,"id":"CVE-2026-57984"},{"cvss":4.3,"id":"CVE-2026-54886"},{"cvss":8.1,"id":"CVE-2026-58282"},{"cvss":8.8,"id":"CVE-2026-57981"},{"cvss":5.4,"id":"CVE-2026-58278"},{"cvss":9,"id":"CVE-2026-58289"},{"cvss":7.5,"id":"CVE-2026-59925"},{"cvss":7.1,"id":"CVE-2026-58297"},{"cvss":8.3,"id":"CVE-2026-58596"},{"cvss":8.8,"id":"CVE-2026-56645"},{"cvss":8.7,"id":"CVE-2026-57983"},{"cvss":8.3,"id":"CVE-2026-58288"},{"cvss":8.1,"id":"CVE-2026-58286"},{"cvss":7.5,"id":"CVE-2026-58276"}],"_cs_exploited":false,"_cs_has_poc":true,"_cs_poc_references":["https://sploitus.com/exploit?id=8D8B971C-F5EE-53DF-AAC5-417AF3B19481\u0026utm_source=rss\u0026utm_medium=rss"],"_cs_products":["PowerShell","Windows","Outlook",".NET","Windows Defender","Windows PowerShell","AppLocker","Windows Protected Storage Service","SharePoint","Microsoft SQL Server","Microsoft Graph API","Microsoft Entra ID","Microsoft 365","Remote Desktop Protocol","Windows OpenSSH","Plink","Azure AD Graph","Entra ID","SMB (Windows File Sharing)","Microsoft Teams","Quick Assist","Microsoft Edge (Chromium-based)","Edge (Chromium-based)","Microsoft Edge for Android","Edge for Android","Microsoft Edge (Chromium-based) \u003c 150.0.4078.48","Microsoft Edge (Chromium-based) (\u003c 150.0.4078.48)","nslookup.exe","Microsoft Identity Platform","Windows Command Prompt","PowerShell Core","Local Security Authority Subsystem Service (LSASS)","Active Directory Certificate Services","Active Directory","Windows kernel","VMware View","Horizon","SysAidServer","IGEL RemoteManager","Elastic Defend","Sysmon","Microsoft Authentication Broker","Exchange Online","Microsoft Graph","SSH SFTP server","Azure","Teams","Active Directory Federation Services (ADFS)","Device Registration Service","Windows 10 22H2","Active Directory Federation Services","Microsoft Windows","Microsoft Hardware Compatibility Program","AnyDesk","NirSoft utilities","Mimikatz","PsExec","Azure AD","Microsoft Edge \u003c 150.0.4078.50","Azure Linux azl3 kernel (\u003c 6.6.144.1-1)","Azure CLI","Azure Active Directory Conditional Access","Microsoft Azure CLI","OneDrive","inline_parser","VS Code","OWA","admin.microsoft.com","Google Accounts","MAX messenger","WordPress","Microsoft Edge","Google Chrome","Brave","IIS","Salesforce","Salesforce Data Loader","Salesforce Aura endpoints","Salesforce Experience Cloud","Microsoft Defender for Cloud Apps","Drift AI chat integration","Gainsight","Klue","github.com","aws.amazon.com"],"_cs_severities":["high"],"_cs_tags":["roundup"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Simon Tatham","VMware","Omnissa","SysAid","IGEL","Elastic","AnyDesk","NirSoft","GitHub","Cisco","Trend Micro","LSHIY LLC","Vercel","Google","Canva","WordPress Foundation","Adobe","DocuSign","Dropbox","MAX","Salesforce","Chanel","Pandora","Adidas","Qantas","Allianz Life","LVMH","Salesloft","Drift","Cloudflare","Zscaler","Palo Alto Networks","Proofpoint","PagerDuty","Tanium","Gainsight","Klue","Huntress","Recorded Future","AWS"],"content_html":"\u003cp\u003eAggregated Microsoft security advisories for July 2026. CVEs from this cycle are folded\ninto the list below as they are published.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cp\u003eReview affected products and apply Microsoft's July 2026 security updates.\u003c/p\u003e\n","date_modified":"2026-07-14T06:43:29Z","date_published":"2026-07-03T10:31:01Z","id":"https://feed.craftedsignal.io/briefs/2026-07-microsoft-security-updates/","summary":"Roundup of Microsoft security advisories published in July 2026.","title":"Microsoft Security Updates — July 2026","url":"https://feed.craftedsignal.io/briefs/2026-07-microsoft-security-updates/"}],"language":"en","title":"CraftedSignal Threat Feed - Recorded Future","version":"https://jsonfeed.org/version/1.1"}