MICROSOFT'S Security Research Team identified threat actor activities between mid-2025 and mid-2026, highlighting tactics aligned with ShinyHunters, such as voice phishing (vishing), supply chain compromises, and exploitation of misconfigured guest access in Salesforce applications.
Key intrusion methods included vishing targeting OAuth consent, compromising trusted workflows like Salesloft and Gainsight, and taking advantage of misconfigured guest settings, leading to unauthorized access and extensive data exfiltration. This situation emphasized the vulnerabilities of OAuth-connected applications and the need for stringent monitoring.
Microsoft collaborated with Salesforce to enhance telemetry and detection capabilities, underscoring that these issues were due to exploitation of trusted relationships rather than inherent Salesforce vulnerabilities.