Microsoft disclosed on July 13, 2026 that attackers using tradecraft associated with ShinyHunters abused trusted Salesforce OAuth connections between mid-2025 and mid-2026 to sidestep multi-factor authentication (MFA) and exfiltrate CRM data. The campaigns hit Salesforce tenants across retail, education and manufacturing.
Quick Summary – TLDR:
- Microsoft tied a year of Salesforce intrusions to ShinyHunters-associated tradecraft spanning voice phishing, supply-chain compromise and misconfigured guest access.
- A fake Salesforce Data Loader app tricked employees into granting OAuth consent, letting attackers inherit the user’s session and skip MFA entirely.
- Compromised Salesloft Drift credentials in August 2025 exposed connection secrets used across multiple customer Salesforce tenants.
- A Gainsight-integration campaign in November 2025 kept persistent API access without triggering sign-in anomalies.
- The threat actor Storm-3138 breached market-intelligence platform Klue in June 2026 and reused the same Salesforce credential-abuse pattern.
What Happened?
Microsoft’s threat intelligence team said the activity was not the result of a vulnerability inherent to Salesforce, but of attackers abusing trusted OAuth relationships, according to Microsoft. OAuth is the delegated sign-in system that lets one application act on a user’s behalf without ever seeing that user’s password. Once a victim approves the wrong connection, the attacker’s app inherits real permissions and can query the CRM (customer relationship management) system like any authorized user.
The disclosure centers on tradecraft including voice phishing (vishing), supply chain compromise, and misconfigured guest access used against customer SaaS-based applications such as Salesforce. That single throughline is why a year of seemingly unrelated vendor breaches, at Salesloft, Gainsight and now Klue, reads as one long campaign rather than three coincidences.
Microsoft identified threat actor activity with overlapping tradecraft commonly associated with ShinyHunters, including voice phishing (vishing), supply-chain compromise, and misconfigured guest access targeting SaaS-based applications. https://t.co/CijwSaeJ18
— Microsoft Threat Intelligence (@MsftSecIntel) July 13, 2026
Across intrusion…
How the OAuth Bypass Works?
The most common route started with vishing, voice calls where attackers impersonated IT support staff. Employees who approved the fake Data Loader app handed attackers a session that could issue Salesforce API calls without repeat authentication. GBHackers, a security outlet that separately reviewed the disclosure, described the effect as neutralizing MFA as a meaningful barrier, since the activity ran through a valid, authorized OAuth session rather than a stolen password or an anomalous login.
Other paths in the campaign targeted infrastructure instead of individual employees:
- Salesloft Drift (August 2025): compromised credentials exposed connection secrets that let attackers reuse OAuth tokens across multiple customer Salesforce instances.
- Gainsight (November 2025): a follow-on campaign targeted Gainsight-published Salesforce apps to maintain persistent API access in multiple customer environments.
- Klue / Storm-3138 (June 2026): the threat actor Storm-3138 accessed Klue’s own systems and reused Salesforce credentials to discover, query and exfiltrate data the same way.
- Guest-access abuse: Microsoft also flagged a wave of suspicious guest user activity targeting Salesforce Aura endpoints. Chaining requests against that framework let attackers pull far more data than a guest account should ever reach.
Microsoft published two indicators of compromise (IOCs, the technical fingerprints defenders use to spot an attack) alongside the disclosure: IP address 138.226.246.94, used by the Klue integration to query Salesforce on June 11, and IP address 103.75.11.78, used to target the Aura framework with guest access between June 19 and 22.
SQ Magazine’s Takeaway
This is a governance failure dressed as a technical one. Every intrusion path here relied on Salesforce granting access to something the organization itself authorized: a connected app, a vendor integration, a guest account.
None of it needed a stolen password to work. MFA protects a login, but it does nothing once an OAuth token has already been handed to the wrong party.
The fix is not a stronger password policy. Security teams need to inventory every connected app tied to their Salesforce tenant, check who granted it access and why, and cut off anything unused or over-privileged.
Expect more vendors in this same supply chain to disclose related incidents as investigators keep tracing where the Storm-3138 and Klue credentials surfaced next. Organizations running Salesforce Experience Cloud should audit guest-user permissions now, before an Aura-endpoint scan turns up in their own logs.