In a recent analysis, Microsoft has identified three distinct attack paths utilized by the data-extortion group ShinyHunters to infiltrate corporate Salesforce environments over the past year. Notably, these attacks do not rely on exploiting vulnerabilities within the Salesforce platform itself. Instead, they leverage the trust organizations have extended through OAuth connections to integrate Salesforce with various third-party applications and vendors. This method highlights a significant shift in attack strategies, focusing on social engineering and trust exploitation rather than technical exploits.
For businesses, this revelation underscores the critical importance of scrutinizing third-party app integrations and their associated OAuth permissions. Companies must implement robust access controls and continuously monitor for unusual activity within their Salesforce environments. This situation serves as a stark reminder that cybersecurity is not solely about patching vulnerabilities but also about understanding and managing the trust relationships that exist within an organization’s ecosystem. As the lines between applications blur, organizations must prioritize securing their OAuth connections to mitigate the risks associated with trust-based attacks, especially in the evolving landscape of cybersecurity and AI.
---
*Originally reported by [The Hacker News](https://thehackernews.com/2026/07/microsoft-maps-year-long-shinyhunters.html)*