- ShinyHunters abused Salesforce’s OAuth trust by tricking users and then compromising SaaS integrations, stealing tokens to access hundreds of customer environments.
- Reports suggested up to 700 victims; The attackers extracted data through legitimate APIs, making the activity appear normal and persistent.
- Microsoft responded with updates to Defender for Cloud Apps, adding richer telemetry, near real-time detection, and stronger governance over OAuth-connected apps.
The ShinyHunters cybercrime group was so creative in breaking into Salesforce’s corporate environments that they forced Microsoft’s hand, causing the company to introduce new security updates just to deal with the attacks.
Microsoft has revealed that it is focusing on improving visibility into OAuth-connected apps and strengthening the governance of third-party integrations in Microsoft Defender for Cloud Apps. The changes fall into two main categories: improved detection and investigation, and new posture and governance capabilities.
It makes sense, given that some reports claimed up to 700 victims from the year-long campaign.
Changes and improvements
But first, a little context: In August 2025, ShinyHunters agents were reported to be calling their targets on the phone, claiming to be IT support, and convincing them to authorize a seemingly legitimate Salesforce Data Loader application. In fact, this application was controlled by the attackers and requested OAuth permissions that allowed them to access Salesforce data through official APIs.
Since everything happened through legitimate authentication and API calls, the activity seemed like normal user behavior.
In the following months, the campaign evolved. Instead of fooling individual employees, ShinyHunters compromised third-party SaaS providers that integrated with Salesforce, including Salesloft’s Drift integration, Gainsight, and later Klue.
By stealing OAuth tokens or integration secrets from these providers, they accessed hundreds of downstream customers’ Salesforce environments without interacting with each customer individually.
At one point, Google told reporters that it was aware of more than 700 potentially affected organizations.
“Microsoft consulted with Salesforce to improve granularity in Defender telemetry for cloud apps with near real-time detection, offering connected app attribution and expanded app permissions insights,” the company said in a new report. “This activity was not the result of an inherent vulnerability in Salesforce. Rather, threat actors abused OAuth trusted relationships for unauthorized access, data exfiltration, and persistence.”
In other words, Microsoft enabled greater visibility into OAuth-connected applications and their activity, enabled better detection of suspicious API and OAuth behavior through richer telemetry and correlation, and now provides stronger governance of connected applications through permissions analysis, risk scoring, and lifecycle management.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




