Defending SaaS-based applications against ShinyHunters OAuth abuse
Admiralty grading (A–F · 1–6)
Source reliability
- A Completely reliable
- B Usually reliable
- C Fairly reliable
- D Not usually reliable
- E Unreliable
- F Cannot be judged
Information credibility
- 1 Confirmed
- 2 Probably true
- 3 Possibly true
- 4 Doubtful
- 5 Improbable
- 6 Cannot be judged
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Key insight
ShinyHunters-associated campaigns exploit vishing attacks to compromise OAuth access to Salesforce instances, combined with supply-chain attacks through trusted integrations such as Salesloft and Gainsight.
Description
Microsoft observed campaigns between mid-2025 and mid-2026 by the ShinyHunters threat actor group exploiting vishing techniques, supply-chain compromise, and misconfigured guest access to infiltrate SaaS applications such as Salesforce. Attackers abused OAuth relationships to impersonate trusted applications, manipulate OAuth consent flows, and gain extensive API access. Compromised OAuth tokens enabled data exfiltration, persistence, and privileged actions within Salesforce environments. Three primary attack vectors were documented: direct vishing against users to authorize malicious apps, compromise of trusted workflow integrations (Salesloft, Gainsight), and exploitation of misconfigured guest access policies.
Risk score
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 15.00
- industry weight
- 1.10
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
- consensus penalty
- -5.00
Path: operational
Consensus check
The pipeline self-checks before delivery. These rules lowered the score:
-
VENDOR_MISMATCHVendor not found in alert title −5
- Consensus penalty:
- −5.0
- Total penalty:
- −5.0