---
title: "ShinyHunters Abuses Salesforce OAuth to Bypass MFA"
date: 2026-07-14
author: "Sofia Ramirez"
featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/07/shinyhunters-abuses-salesforce-oauth-to-bypass-mfa.jpg"
categories:
  - name: "Cybersecurity"
    url: "/cybersecurity.md"
tags:
  - name: "News"
    url: "/tag/news.md"
---

# ShinyHunters Abuses Salesforce OAuth to Bypass MFA

Microsoft disclosed on July 13, 2026 that attackers using tradecraft associated with ShinyHunters abused trusted Salesforce OAuth connections between mid-2025 and mid-2026 to sidestep multi-factor authentication (MFA) and exfiltrate CRM data. The campaigns hit Salesforce tenants across retail, education and manufacturing.

## Quick Summary – TLDR:

- Microsoft tied a year of Salesforce intrusions to ShinyHunters-associated tradecraft spanning voice phishing, supply-chain compromise and misconfigured guest access.
- A fake Salesforce Data Loader app tricked employees into granting OAuth consent, letting attackers inherit the user’s session and skip MFA entirely.
- Compromised Salesloft Drift credentials in August 2025 exposed connection secrets used across multiple customer Salesforce tenants.
- A Gainsight-integration campaign in November 2025 kept persistent API access without triggering sign-in anomalies.
- The threat actor Storm-3138 breached market-intelligence platform Klue in June 2026 and reused the same Salesforce credential-abuse pattern.

## What Happened?

Microsoft’s threat intelligence team said the activity was not the result of a vulnerability inherent to Salesforce, but of attackers abusing trusted OAuth relationships, according to Microsoft. **OAuth** is the delegated sign-in system that lets one application act on a user’s behalf without ever seeing that user’s password. Once a victim approves the wrong connection, the attacker’s app inherits real permissions and can query the **CRM (customer relationship management) system** like any authorized user.

The disclosure centers on **tradecraft** including [voice phishing (vishing)](https://sqmagazine.co.uk/voice-phishing-statistics/), supply chain compromise, and misconfigured guest access used against customer SaaS-based applications such as [Salesforce](https://sqmagazine.co.uk/salesforce-statistics/). That single throughline is why a year of seemingly unrelated vendor breaches, at Salesloft, Gainsight and now Klue, reads as one long campaign rather than three coincidences.

> Microsoft identified threat actor activity with overlapping tradecraft commonly associated with ShinyHunters, including voice phishing (vishing), supply-chain compromise, and misconfigured guest access targeting SaaS-based applications. <https://t.co/CijwSaeJ18>  
>   
> Across intrusion…
> 
> — Microsoft Threat Intelligence (@MsftSecIntel) [July 13, 2026](https://x.com/MsftSecIntel/status/2076792280959348954?ref_src=twsrc%5Etfw)

 ## How the OAuth Bypass Works?

The most common route started with vishing, voice calls where attackers impersonated IT support staff. Employees who approved the **fake Data Loader app** handed attackers a session that could issue Salesforce API calls without repeat authentication. GBHackers, a security outlet that separately reviewed the disclosure, described the effect as neutralizing MFA as a meaningful barrier, since the activity ran through a valid, authorized OAuth session rather than a stolen password or an anomalous login.

Other paths in the campaign targeted infrastructure instead of individual employees:

- **[Salesloft Drift (August 2025)](https://sqmagazine.co.uk/salesloft-github-breach-drift-attack/):** compromised credentials exposed connection secrets that let attackers reuse OAuth tokens across multiple customer Salesforce instances.
- **Gainsight (November 2025):** a follow-on campaign targeted Gainsight-published Salesforce apps to maintain persistent API access in multiple customer environments.
- **[Klue / Storm-3138 (June 2026)](https://sqmagazine.co.uk/lastpass-data-exposure-klue-supply-chain-hack/):** the threat actor Storm-3138 accessed Klue’s own systems and reused Salesforce credentials to discover, query and exfiltrate data the same way.
- **Guest-access abuse:** Microsoft also flagged a wave of suspicious guest user activity targeting Salesforce Aura endpoints. Chaining requests against that framework let attackers pull far more data than a guest account should ever reach.

[Microsoft](https://sqmagazine.co.uk/microsoft-statistics/) published two indicators of compromise (IOCs, the technical fingerprints defenders use to spot an attack) alongside the disclosure: IP address **138.226.246.94**, used by the Klue integration to query Salesforce on June 11, and IP address **103.75.11.78**, used to target the Aura framework with guest access between June 19 and 22.

## SQ Magazine’s Takeaway

This is a governance failure dressed as a technical one. Every intrusion path here relied on Salesforce granting access to something the organization itself authorized: a connected app, a vendor integration, a guest account.

None of it needed a stolen password to work. MFA protects a login, but it does nothing once an OAuth token has already been handed to the wrong party.

The fix is not a stronger password policy. Security teams need to inventory every connected app tied to their Salesforce tenant, check who granted it access and why, and cut off anything unused or over-privileged.

Expect more vendors in this same supply chain to disclose related incidents as investigators keep tracing where the Storm-3138 and Klue credentials surfaced next. Organizations running Salesforce Experience Cloud should audit guest-user permissions now, before an Aura-endpoint scan turns up in their own logs.