<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Salesloft - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/salesloft/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 22:59:52 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/salesloft/feed.xml" rel="self" type="application/rss+xml"/><item><title>ShinyHunters OAuth Abuse Targeting SaaS Applications</title><link>https://feed.craftedsignal.io/briefs/2026-07-shinyhunters-oauth-abuse/</link><pubDate>Mon, 13 Jul 2026 22:59:52 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-shinyhunters-oauth-abuse/</guid><description>ShinyHunters, and related threat actor Storm-3138, conducted campaigns between mid-2025 and mid-2026 by employing voice phishing, supply chain compromise, and misconfigured guest access to abuse trusted OAuth relationships in SaaS applications like Salesforce, leading to unauthorized access, data exfiltration, and persistence.</description><content:encoded><![CDATA[<p>Microsoft Threat Intelligence has identified sophisticated campaigns conducted by the threat actor ShinyHunters, with overlapping tradecraft observed between mid-2025 and mid-2026. These campaigns also included activity attributed to Storm-3138. The threat actors primarily targeted customer SaaS-based applications, such as Salesforce instances, leveraging a combination of voice phishing (vishing), supply chain compromise, and the exploitation of misconfigured guest access. The primary objective was to abuse trusted OAuth relationships to gain unauthorized access, establish persistence, and exfiltrate sensitive data at scale. This activity highlights a shift towards exploiting legitimate application functionality and integrations rather than traditional malware deployment, making detection challenging as malicious actions often appear indistinguishable from normal user behavior within the SaaS ecosystem.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Threat actors initiate voice phishing (vishing) attacks, impersonating IT support personnel, to socially engineer employees into authorizing malicious applications.</li>
<li>Victims are guided through an OAuth consent workflow, granting an attacker-controlled application (e.g., disguised as a Salesforce Data Loader tool) highly privileged access.</li>
<li>The malicious OAuth application performs API calls on behalf of the victim user, enabling enumeration of Salesforce instances and persistent access to CRM data.</li>
<li>Attackers compromise third-party SaaS vendors (e.g., Salesloft in August 2025, Gainsight in November 2025, Klue in June 2026), obtaining connection secrets or OAuth tokens.</li>
<li>Compromised credentials or OAuth tokens are used to leverage trusted external connections, maintaining persistent API access to multiple Salesforce customer instances.</li>
<li>Attackers identify and exploit misconfigured guest-user permissions within Salesforce Aura endpoints, granting unauthenticated access to Aura framework functionality.</li>
<li>GraphQL-based Aura requests are chained to systematically query and retrieve large volumes of sensitive CRM data, bypassing standard record-retrieval limitations.</li>
<li>Threat actors exfiltrate sensitive CRM records, including accounts, contacts, and service case data, through sanctioned application access or abused guest permissions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The observed campaigns resulted in significant data exfiltration, primarily of sensitive CRM records, including accounts, contacts, and service case data, affecting numerous organizations across retail, education, and manufacturing sectors. Threat actors achieved quiet persistence within targeted SaaS environments, making malicious activity difficult to distinguish from legitimate operations. The abuse of trusted OAuth relationships allowed attackers to access and exfiltrate data at scale, bypassing traditional authentication-focused detections. The broad scope and the ability to operate within trusted workflows posed a high-impact risk to sensitive data and downstream SaaS ecosystems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Salesforce Shield: Event Monitoring and integrate with Microsoft Defender for Cloud Apps to gain near-real-time visibility into Salesforce security and activity events.</li>
<li>Regularly review and audit all OAuth-connected applications within your SaaS environments, paying close attention to application identity, granted OAuth scopes, and activity context.</li>
<li>Implement strict validation processes for all third-party integrations and monitor their activity for anomalies, particularly for vendors like Salesloft, Gainsight, and Klue that have been previously targeted.</li>
<li>Conduct regular audits of guest access configurations in Salesforce and other SaaS platforms to ensure proper permissions are enforced and to prevent unauthorized data access via endpoints like Salesforce Aura.</li>
<li>Deploy security solutions that provide expanded identity, session, and API activity context within Salesforce and other SaaS applications to improve correlation and identification of suspicious activity as detected by Microsoft Defender for Cloud Apps.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>oauth-abuse</category><category>saas</category><category>supply-chain</category><category>vishing</category><category>data-exfiltration</category><category>persistence</category><category>cloud</category></item></channel></rss>