Defending SaaS-based applications against ShinyHunters OAuth abuse
Between mid-2025 and mid-2026, threat actors using tradecraft associated with ShinyHunters targeted customer SaaS applications, particularly Salesforce instances, through three primary intrusion paths. Voice phishing campaigns impersonated IT support to trick employees into authorizing malicious OAuth applications. Supply chain compromises leveraged trusted integrations including Salesloft, Gainsight, and Klue to obtain OAuth tokens for downstream customer access. Misconfigured guest access enabled exploitation of Aura framework functionality for unauthorized data queries. These techniques abused legitimate OAuth relationships to inherit user and application privileges, enabling enumeration and exfiltration of CRM data while evading authentication detections. The campaigns targeted multiple industries including retail, education, and manufacturing, highlighting risks in OAuth-connected applications and third-party integrations.
AI Analysis
Technical Summary
This campaign involved threat actors using ShinyHunters-associated tradecraft to abuse OAuth authorization in SaaS applications, primarily Salesforce. The attackers employed three main intrusion vectors: (1) voice phishing (vishing) to trick employees into approving malicious OAuth apps, (2) supply chain compromises of trusted third-party integrations such as Salesloft, Gainsight, and Klue to obtain OAuth tokens, and (3) exploitation of misconfigured guest access in the Aura framework to perform unauthorized data queries. These techniques leveraged legitimate OAuth relationships to inherit user and application privileges, enabling enumeration and exfiltration of CRM data while evading authentication detection mechanisms. The campaign affected multiple industries, highlighting the security risks of OAuth abuse in SaaS environments and the importance of securing third-party integrations.
Potential Impact
The abuse of OAuth tokens and legitimate application privileges enabled unauthorized access to sensitive CRM data, including enumeration and data exfiltration. The use of voice phishing and supply chain compromises increased the attack surface and complexity of detection. The campaign affected multiple industries, potentially leading to data breaches and loss of customer trust. No known exploits in the wild were reported at the time of publication.
Mitigation Recommendations
No official patch or fix is available as this is an abuse of legitimate OAuth mechanisms and misconfigurations rather than a software vulnerability. Organizations should focus on strengthening OAuth app authorization processes, enhancing employee awareness to prevent vishing attacks, auditing and securing third-party integrations, and reviewing guest access configurations in frameworks like Aura. Monitoring OAuth app approvals and implementing strict least-privilege access controls can help mitigate such abuse.
Indicators of Compromise
- ip: 103.75.11.78
- ip: 138.226.246.94
- ip: 212.86.125.24
- ip: 94.154.32.160
- ip: 213.111.148.90
- ip: 103.75.11.110
Defending SaaS-based applications against ShinyHunters OAuth abuse
Description
Between mid-2025 and mid-2026, threat actors using tradecraft associated with ShinyHunters targeted customer SaaS applications, particularly Salesforce instances, through three primary intrusion paths. Voice phishing campaigns impersonated IT support to trick employees into authorizing malicious OAuth applications. Supply chain compromises leveraged trusted integrations including Salesloft, Gainsight, and Klue to obtain OAuth tokens for downstream customer access. Misconfigured guest access enabled exploitation of Aura framework functionality for unauthorized data queries. These techniques abused legitimate OAuth relationships to inherit user and application privileges, enabling enumeration and exfiltration of CRM data while evading authentication detections. The campaigns targeted multiple industries including retail, education, and manufacturing, highlighting risks in OAuth-connected applications and third-party integrations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign involved threat actors using ShinyHunters-associated tradecraft to abuse OAuth authorization in SaaS applications, primarily Salesforce. The attackers employed three main intrusion vectors: (1) voice phishing (vishing) to trick employees into approving malicious OAuth apps, (2) supply chain compromises of trusted third-party integrations such as Salesloft, Gainsight, and Klue to obtain OAuth tokens, and (3) exploitation of misconfigured guest access in the Aura framework to perform unauthorized data queries. These techniques leveraged legitimate OAuth relationships to inherit user and application privileges, enabling enumeration and exfiltration of CRM data while evading authentication detection mechanisms. The campaign affected multiple industries, highlighting the security risks of OAuth abuse in SaaS environments and the importance of securing third-party integrations.
Potential Impact
The abuse of OAuth tokens and legitimate application privileges enabled unauthorized access to sensitive CRM data, including enumeration and data exfiltration. The use of voice phishing and supply chain compromises increased the attack surface and complexity of detection. The campaign affected multiple industries, potentially leading to data breaches and loss of customer trust. No known exploits in the wild were reported at the time of publication.
Mitigation Recommendations
No official patch or fix is available as this is an abuse of legitimate OAuth mechanisms and misconfigurations rather than a software vulnerability. Organizations should focus on strengthening OAuth app authorization processes, enhancing employee awareness to prevent vishing attacks, auditing and securing third-party integrations, and reviewing guest access configurations in frameworks like Aura. Monitoring OAuth app approvals and implementing strict least-privilege access controls can help mitigate such abuse.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/07/13/defending-saas-based-applications-against-shinyhunters-oauth-abuse/"]
- Adversary
- ShinyHunters
- Pulse Id
- 6a55a1380d4e12c0ea409b6e
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip103.75.11.78 | CC=AU ASN=AS136557 host universal pty ltd | |
ip138.226.246.94 | — | |
ip212.86.125.24 | — | |
ip94.154.32.160 | — | |
ip213.111.148.90 | CC=UA ASN=AS35804 pp sks-lugan | |
ip103.75.11.110 | CC=AU ASN=AS136557 host universal pty ltd |
Threat ID: 6a55f7a868715ace4323278a
Added to database: 07/14/2026, 08:47:36 UTC
Last enriched: 07/14/2026, 09:02:30 UTC
Last updated: 07/14/2026, 20:40:51 UTC
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.