Cookie Consent by Free Privacy Policy Generator

Microsoft Tracks Year-Long Salesforce Data Theft Campaign Exploiting OAuth Trust

Microsoft has published research detailing a year-long campaign in which attackers, whose methods align with the data extortion group ShinyHunters, have been stealing data from corporate Salesforce environments by exploiting OAuth trust relationships rather than vulnerabilities in the platform itself. The Hacker News reports that the attackers gained access through legitimate OAuth connections that organisations had already established between Salesforce and third-party applications or vendors. Once inside, the attackers used those trusted connections to exfiltrate customer data, contact lists, and business records without triggering traditional security alerts. The campaign highlights how attackers are increasingly targeting the trust relationships between cloud platforms rather than exploiting software flaws, making detection significantly harder for organisations that rely on perimeter and endpoint controls alone.

Why this matters for UK organisations

For many UK organisations, Salesforce and similar cloud platforms are central to customer relationship management, sales operations, and business intelligence. OAuth is widely used to connect these platforms to marketing tools, analytics services, support systems, and automation platforms. The operational challenge is that OAuth permissions are often granted during initial setup and rarely reviewed thereafter. If a third-party application is compromised, or if an attacker gains access to OAuth tokens through credential theft or social engineering, they can move laterally into connected systems without needing to exploit a vulnerability. This creates a significant blind spot for security teams that focus primarily on identity and endpoint protection but lack visibility into how cloud platforms are interconnected and what data those connections can access. The campaign described by Microsoft lasted for a year, suggesting that traditional security monitoring did not detect the data exfiltration because it appeared to be legitimate activity conducted through trusted integrations. This is a pattern that is likely to become more common as attackers shift focus from exploiting software flaws to exploiting trust relationships and configuration weaknesses.

What to review

UK organisations should review which third-party applications have OAuth access to Salesforce, Microsoft 365, Google Workspace, and other cloud platforms, what data those connections can access, and whether those permissions are still necessary. Many organisations discover that OAuth permissions granted years ago are still active, even after the original business need has ended. Establishing a regular review process for OAuth grants, ensuring that security teams have visibility into cloud platform integrations, and monitoring for unusual data access patterns are all practical steps that reduce exposure to this type of attack. Organisations should also consider whether OAuth permissions are granted at the appropriate level of access, whether multi-factor authentication is enforced for accounts that can grant OAuth permissions, and whether logging and alerting are configured to detect unusual API activity or data export patterns. Where third-party integrations are no longer needed, revoking OAuth access is a straightforward way to reduce the attack surface. This is an area where governance, visibility, and regular review are more important than technical controls alone.

Source: The Hacker News

News and blog posts
Introduction Knowing what to do when a client asks for proof of cybersecurity...
The National Cyber Security Centre, alongside CISA and international partners,...
Microsoft has published research detailing a year-long campaign in which...
The US Cybersecurity and Infrastructure Security Agency has added...