Microsoft's research reveals that ShinyHunters exploited Salesforce environments using OAuth trust relationships, without exploiting flaws in the platform. This activity highlights vulnerabilities tied to common third-party vendor connections and employee consent, leading to unauthorized data access.
Microsoft's July 13 research highlights a year-long campaign by the group ShinyHunters, targeting Salesforce environments. The attacks leveraged organizational trust via OAuth connections rather than exploiting software vulnerabilities, making them difficult to detect.
Microsoft categorized the attack methods into three distinct paths: vishing calls deceiving users into authorizing malicious apps, stolen OAuth tokens from compromised vendors, and misconfigured guest access to Salesforce. These methods were observed across various industries such as retail and education.
The first intrusion method involved attackers making vishing calls, posing as IT personnel. They guided employees through the OAuth consent process to grant access to a malicious app disguised as Salesforce's Data Loader. This granted attackers the ability to make API calls as legitimate users.
Given the nature of these attacks, which do not involve traditional hacking methods like malware or credential theft, existing Salesforce monitoring systems failed to capture unauthorized activities. This has prompted Microsoft and Salesforce to collaborate on improving detection and governance tools to better flag suspicious behaviors associated with trusted access.
The findings emphasize the need for companies using Salesforce to review and tighten their OAuth configurations and educate employees about risks associated with consent granting. Continued targeting of trust relationships indicates a significant threat landscape for organizations relying on third-party integrations.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Microsoft's research reveals that ShinyHunters exploited Salesforce environments using OAuth trust relationships, without exploiting flaws in the platform. This activity highlights vulnerabilities tied to common third-party vendor connections and employee consent, leading to unauthorized data access.