2 min read

Microsoft tightens OAuth defenses after ShinyHunters attacks

Microsoft updated Defender for Cloud Apps after ShinyHunters abused Salesforce OAuth flows and SaaS integrations in a campaign tied to up to 700 victims.

Image: TechRadar

Microsoft is rolling out new security features in Defender for Cloud Apps after the ShinyHunters cybercrime group exploited trusted OAuth connections in Salesforce environments and later pivoted through third-party SaaS integrations.

According to reports cited by TechRadar, the campaign may have affected as many as 700 organizations over roughly a year. Google previously said it was aware of more than 700 potentially impacted organizations.

The attack first came to light in August 2025, when ShinyHunters operators reportedly called targets while posing as IT support. They persuaded users to authorize a seemingly legitimate Salesforce Data Loader app that was actually controlled by the attackers. Once approved, the app gained OAuth permissions that let the group access Salesforce data through official APIs.

Recommended reading

New macOS malware slips past Gatekeeper

That made the activity hard to spot, because it blended in with normal authentication and API traffic.

The campaign later expanded beyond individual employee targeting. Attackers compromised third-party SaaS providers connected to Salesforce, including Salesloft’s Drift integration, Gainsight, and later Klue. By stealing OAuth tokens or integration secrets from those vendors, they were able to reach hundreds of downstream customer Salesforce environments without having to trick each victim separately.

Microsoft said its response centers on two areas: improved detection and investigation and new posture and governance capabilities.

“Microsoft consulted with Salesforce to improve granularity in telemetry for Defender for Cloud Apps with near-real-time detection, offering connected application attribution and expanded application permission insights.” “This activity was not the result of a vulnerability inherent to Salesforce. Rather, the threat actors abused trusted OAuth relationships for unauthorized access, data exfiltration, and persistence.”

Microsoft

In practice, that means richer telemetry for OAuth-connected apps, better correlation of suspicious API and OAuth behavior, and stronger controls around connected applications through permission analysis, risk scoring, and lifecycle management.

Best antivirus software header
Best antivirus software header
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via TechRadar

// Keep reading