Press TechRound interviews Secure.com CEO on the future of AI security
Read

ShinyHunters Turn Salesforce Trust Into a Loaded Gun, Microsoft Warns

Microsoft ties ShinyHunters-linked crews to OAuth abuse hitting Salesforce via vishing, supply chain, and guest access. See the IOCs & fixes.

Dateline: July 14, 2026

1.5 Billion Records: Inside the ShinyHunters Playbook 

Microsoft just pulled back the curtain on a year of quiet theft. In a report published July 13, 2026, its Defender Security Research team laid out how crews using tradecraft tied to ShinyHunters have been robbing Salesforce customers blind. They did not break in. They walked in through the front door, holding permission slips the victims signed themselves.

What Happened?

Between mid 2025 and mid 2026, Microsoft tracked a string of campaigns that shared one clever trick. The attackers abused OAuth, the system that lets apps talk to each other on your behalf. Instead of cracking passwords or dropping malware, they got trusted apps to do the dirty work.

Microsoft Found Three Ways In

The first was voice phishing, or vishing. Attackers called employees pretending to be IT support. They walked staff through an OAuth consent screen and got them to approve a fake app dressed up as the real Salesforce Data Loader tool. Once approved, that app could query and pull CRM records at will.

The second was supply chain abuse. In August 2025, stolen Salesloft Drift credentials let attackers reach downstream Salesforce tenants. A November 2025 wave hit apps published by Gainsight. Then in June 2026, a group Microsoft tracks as Storm-3138 breached the market intelligence platform Klue and reused its Salesforce credentials to query and steal data. Each time, the activity looked like normal integration traffic.

The third was guest access. Attackers hammered misconfigured Salesforce Aura endpoints, chaining GraphQL requests to pull far more data than a guest account should ever see.

Microsoft was clear on one point. This was not a Salesforce vulnerability. It was trust, aimed the wrong way.

What’s the Impact?

The damage here is scale, and it is quiet. Because every action rode on approved apps and real user privileges, the theft blended into daily business. Traditional login alarms stayed silent while accounts, contacts, and support case records walked out the door.

Microsoft saw hits across retail, education, and manufacturing. And the numbers from the wider ShinyHunters saga are staggering. Reporting tied to these campaigns points to over 1,000 breached organizations and claims of roughly 1.5 billion stolen records across Salesforce operations alone.

One weak app is all it takes. A single approved integration can hand an attacker the keys to your whole CRM, then become a launch pad into other SaaS tools.

Indicators of Compromise (IOCs)

Indicators of Compromise
ShinyHunters Salesforce OAuth Abuse
IP addresses published by Microsoft Defender Security Research, July 13, 2026.
138.226.246.94 Klue integration Used to call the Salesforce API and query CRM data on June 11. First disclosed by Klue in its breach notification.
212.86.125.24 Klue integration Tied to the same Klue-linked Salesforce API activity.
213.111.148.90 Klue integration Tied to the same Klue-linked Salesforce API activity.
94.154.32.160 Klue integration Tied to the same Klue-linked Salesforce API activity.
103.75.11.78 Aura guest access Used to target the Aura framework with guest access from June 19 to 22. Discovered by Microsoft as part of a new campaign.
103.75.11.110 Aura guest access Part of the same Aura framework guest access campaign.
Source: Microsoft Defender Security Research. This activity abused trusted OAuth relationships and was not the result of a Salesforce vulnerability. Block and monitor these indicators, then review your connected app grants.

How to Avoid This

Start by treating connected apps like accounts, because that is what they are.

  • Watch your OAuth grants.
  • Review which apps have access, what scopes they hold, and who approved them.
  • Kill anything unused.
  • Apps left idle for 90 days or more are pure risk with no reward.
  • Lock down guest access on Experience Cloud and Aura, since default settings are often too open.
  • Turn on Salesforce event monitoring so API calls and exports show up in your logs.
  • Train staff to hang up on anyone who calls asking them to approve an app.

Your CRM Trust Is Only as Safe as Your Weakest App

Attacks like this hide inside approved access, so the fix is constant visibility, not a quarterly audit. Secure.com’s Digital Security Teammates help you close the gap by: 

  • Mapping every connected OAuth app across your SaaS stack, along with the scopes each one holds. 
  • Flagging overpermissioned and highly privileged integrations before they get abused. 
  • Spotting unused apps that sit idle and keep their access. 
  • Enforcing MFA and least privilege across Salesforce and every linked account. 
  • Watching for permission drift and anomalous API activity as it happens, not weeks later.