'A single entry point can rapidly expand to greater enterprise impacts': Microsoft introduces changes to tackle ShinyHunters
Greater visibility, better detection, and stronger governance over OAuth-connected applications should mitigate ShinyHunters attacks.
- ShinyHunters abused OAuth trust in Salesforce by tricking users and later compromising SaaS integrations, stealing tokens to access hundreds of customer environments
- Reports suggested up to 700 victims; attackers exfiltrated data via legitimate APIs, making activity appear normal and persistent
- Microsoft responded with Defender for Cloud Apps upgrades, adding richer telemetry, near‑real‑time detection, and stronger governance over OAuth‑connected applications
The ShinyHunters cybercrime group were so creative in breaking into corporate Salesforce environments that they forced Microsoft’s hand, making the company introduce new security upgrades just to address the attacks.
Microsoft has revealed it is focusing on improving visibility into OAuth-connected applications and strengthening governance over third-party integrations in Microsoft Defender for Cloud Apps. The changes fall into two main categories: Improved detection and investigation, and new posture and governance capabilities.
It makes sense, given that some reports claimed as many as 700 victims of the year-long campaign.
Changes and improvements
But first, a little context: In August 2025, it was reported that ShinyHunters operatives were calling their targets on the phone, claiming to be IT support, and convincing them to authorize a seemingly legitimate Salesforce Data Loader application. This app was, in fact, controlled by the attackers and requested OAuth permissions which allowed them to access Salesforce data through official APIs.
Since everything happened through legitimate authentication and API calls, the activity looked like normal user behavior.
In the following months, the campaign evolved. Instead of tricking individual employees, ShinyHunters compromised third-party SaaS providers that integrated with Salesforce, including Salesloft's Drift integration, Gainsight, and later Klue.
By stealing OAuth tokens or integration secrets from these vendors, they accessed hundreds of downstream customer Salesforce environments without interacting with each customer individually.
At one point, Google told reporters it was aware of more than 700 potentially impacted organizations.
“Microsoft consulted with Salesforce to improve granularity in telemetry for Defender for Cloud Apps with near-real-time detection, offering connected application attribution and expanded application permission insights,” the company said in a new report. “This activity was not the result of a vulnerability inherent to Salesforce. Rather, the threat actors abused trusted OAuth relationships for unauthorized access, data exfiltration, and persistence.”
In other words, Microsoft enabled greater visibility into OAuth-connected applications and their activity, allowed for better detection of suspicious API and OAuth behavior through richer telemetry and correlation, and now provides stronger governance of connected apps through permission analysis, risk scoring, and lifecycle management.
Share
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
