Defending SaaS-based applications against ShinyHunters OAuth abuse
Essential information
- Published
- 14/07/2026 04:38
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- oauth abuse saas security salesforce supply chain compromise vishing
- Related entities
- 6 indicators, 6 observables, 1 intrusion sets (apt)
Description
Between mid-2025 and mid-2026, threat actors using tradecraft associated with ShinyHunters targeted customer SaaS applications, particularly Salesforce instances, through three primary intrusion paths. Voice phishing campaigns impersonated IT support to trick employees into authorizing malicious OAuth applications. Supply chain compromises leveraged trusted integrations including Salesloft, Gainsight, and Klue to obtain OAuth tokens for downstream customer access. Misconfigured guest access enabled exploitation of Aura framework functionality for unauthorized data queries. These techniques abused legitimate OAuth relationships to inherit user and application privileges, enabling enumeration and exfiltration of CRM data while evading authentication detections. The campaigns targeted multiple industries including retail, education, and manufacturing, highlighting risks in OAuth-connected applications and third-party integrations.