Skip to content
Auto-CTI
Back to all deep dives
MICROSOFT SECURITY BLOG

Defending SaaS-based applications against ShinyHunters OAuth abuse

HIGH ShinyHunters OAuth abuse vishing supply-chain compromise SaaS security

Strategic summary

Between mid-2025 and mid-2026, Microsoft observed ShinyHunters campaigns abusing OAuth trust relationships in SaaS applications like Salesforce. The threat actors used voice phishing, supply chain compromise via trusted integrations, and misconfigured guest access to gain unauthorized access, exfiltrate data, and establish persistence. This tradecraft allowed them to operate within legitimate workflows while evading conventional authentication detections. For organizations like Joel Traber AG in manufacturing, it is critical to monitor OAuth-connected applications, validate third-party integrations, and review guest access configurations.

Key findings

  • ShinyHunters actors used voice phishing to trick employees into authorizing malicious OAuth apps disguised as legitimate tools.
  • SaaS supply chain attacks compromised trusted integrations such as Salesloft and Gainsight, leading to expanded access.
  • Misconfigured guest access was exploited to gain unauthorized access to CRM data without triggering standard authentication alerts.
  • The attackers operated within legitimate workflows to exfiltrate data at scale and maintain persistent access.
  • Microsoft recommends monitoring OAuth apps, validating third-party integrations, reviewing guest access settings, and enabling Salesforce event monitoring.

Relevance for you

ShinyHunters-associated campaigns exploit vishing attacks to compromise OAuth access to Salesforce instances, combined with supply-chain attacks through trusted integrations such as Salesloft and Gainsight.

Risk score

15
cvss base
0.00
kev bonus
0.00
epss bonus
0.00
poc bonus
15.00
raw before weight
15.00
industry weight
1.10
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00
consensus penalty
-5.00

Path: operational

Consensus check

The pipeline self-checks before delivery. These rules lowered the score:

  • VENDOR_MISMATCH Vendor not found in alert title −5
Consensus penalty:
−5.0
Total penalty:
−5.0
ESC