Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Defending SaaS-based applications against ShinyHunters OAuth abuse

0
Medium
Published: 07/14/2026 (07/14/2026, 02:38:48 UTC)
Source: AlienVault OTX General

Description

Between mid-2025 and mid-2026, threat actors using tradecraft associated with ShinyHunters targeted customer SaaS applications, particularly Salesforce instances, through three primary intrusion paths. Voice phishing campaigns impersonated IT support to trick employees into authorizing malicious OAuth applications. Supply chain compromises leveraged trusted integrations including Salesloft, Gainsight, and Klue to obtain OAuth tokens for downstream customer access. Misconfigured guest access enabled exploitation of Aura framework functionality for unauthorized data queries. These techniques abused legitimate OAuth relationships to inherit user and application privileges, enabling enumeration and exfiltration of CRM data while evading authentication detections. The campaigns targeted multiple industries including retail, education, and manufacturing, highlighting risks in OAuth-connected applications and third-party integrations.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 09:02:30 UTC

Technical Analysis

This campaign involved threat actors using ShinyHunters-associated tradecraft to abuse OAuth authorization in SaaS applications, primarily Salesforce. The attackers employed three main intrusion vectors: (1) voice phishing (vishing) to trick employees into approving malicious OAuth apps, (2) supply chain compromises of trusted third-party integrations such as Salesloft, Gainsight, and Klue to obtain OAuth tokens, and (3) exploitation of misconfigured guest access in the Aura framework to perform unauthorized data queries. These techniques leveraged legitimate OAuth relationships to inherit user and application privileges, enabling enumeration and exfiltration of CRM data while evading authentication detection mechanisms. The campaign affected multiple industries, highlighting the security risks of OAuth abuse in SaaS environments and the importance of securing third-party integrations.

Potential Impact

The abuse of OAuth tokens and legitimate application privileges enabled unauthorized access to sensitive CRM data, including enumeration and data exfiltration. The use of voice phishing and supply chain compromises increased the attack surface and complexity of detection. The campaign affected multiple industries, potentially leading to data breaches and loss of customer trust. No known exploits in the wild were reported at the time of publication.

Mitigation Recommendations

No official patch or fix is available as this is an abuse of legitimate OAuth mechanisms and misconfigurations rather than a software vulnerability. Organizations should focus on strengthening OAuth app authorization processes, enhancing employee awareness to prevent vishing attacks, auditing and securing third-party integrations, and reviewing guest access configurations in frameworks like Aura. Monitoring OAuth app approvals and implementing strict least-privilege access controls can help mitigate such abuse.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.microsoft.com/en-us/security/blog/2026/07/13/defending-saas-based-applications-against-shinyhunters-oauth-abuse/"]
Adversary
ShinyHunters
Pulse Id
6a55a1380d4e12c0ea409b6e
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip103.75.11.78
CC=AU ASN=AS136557 host universal pty ltd
ip138.226.246.94
ip212.86.125.24
ip94.154.32.160
ip213.111.148.90
CC=UA ASN=AS35804 pp sks-lugan
ip103.75.11.110
CC=AU ASN=AS136557 host universal pty ltd

Threat ID: 6a55f7a868715ace4323278a

Added to database: 07/14/2026, 08:47:36 UTC

Last enriched: 07/14/2026, 09:02:30 UTC

Last updated: 07/14/2026, 20:40:51 UTC

Views: 18

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses