Skip to content
Auto-CTI
Back to today
NEW ShinyHunters HIGH B3

Defending SaaS-based applications against ShinyHunters OAuth abuse

B Microsoft Security Blog ·

Admiralty grading (A–F · 1–6)

Source reliability

  • A Completely reliable
  • B Usually reliable
  • C Fairly reliable
  • D Not usually reliable
  • E Unreliable
  • F Cannot be judged

Information credibility

  • 1 Confirmed
  • 2 Probably true
  • 3 Possibly true
  • 4 Doubtful
  • 5 Improbable
  • 6 Cannot be judged

NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.

Key insight

ShinyHunters-associated campaigns exploit vishing attacks to compromise OAuth access to Salesforce instances, combined with supply-chain attacks through trusted integrations such as Salesloft and Gainsight.

Description

Microsoft observed campaigns between mid-2025 and mid-2026 by the ShinyHunters threat actor group exploiting vishing techniques, supply-chain compromise, and misconfigured guest access to infiltrate SaaS applications such as Salesforce. Attackers abused OAuth relationships to impersonate trusted applications, manipulate OAuth consent flows, and gain extensive API access. Compromised OAuth tokens enabled data exfiltration, persistence, and privileged actions within Salesforce environments. Three primary attack vectors were documented: direct vishing against users to authorize malicious apps, compromise of trusted workflow integrations (Salesloft, Gainsight), and exploitation of misconfigured guest access policies.

Risk score

15
cvss base
0.00
kev bonus
0.00
epss bonus
0.00
poc bonus
15.00
raw before weight
15.00
industry weight
1.10
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00
consensus penalty
-5.00

Path: operational

Consensus check

The pipeline self-checks before delivery. These rules lowered the score:

  • VENDOR_MISMATCH Vendor not found in alert title −5
Consensus penalty:
−5.0
Total penalty:
−5.0
ESC