{
  "name": "Defending SaaS-based applications against ShinyHunters OAuth abuse",
  "slug": "defending-saas-based-applications-against-shinyhunters-oauth-abuse",
  "description": "Between mid-2025 and mid-2026, threat actors using tradecraft associated with ShinyHunters targeted customer SaaS applications, particularly Salesforce instances, through three primary intrusion paths. Voice phishing campaigns impersonated IT support to trick employees into authorizing malicious OAuth applications. Supply chain compromises leveraged trusted integrations including Salesloft, Gainsight, and Klue to obtain OAuth tokens for downstream customer access. Misconfigured guest access enabled exploitation of Aura framework functionality for unauthorized data queries. These techniques abused legitimate OAuth relationships to inherit user and application privileges, enabling enumeration and exfiltration of CRM data while evading authentication detections. The campaigns targeted multiple industries including retail, education, and manufacturing, highlighting risks in OAuth-connected applications and third-party integrations.",
  "published": "2026-07-14T02:38:48.402000+00:00",
  "created_at": "2026-07-14T08:58:11.569000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-07-14T08:58:11.569000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "oauth abuse",
    "saas security",
    "salesforce",
    "supply chain compromise",
    "vishing"
  ],
  "tags": [],
  "related_entities": {
    "indicators": [
      {
        "id": "6ab35c71-7f8b-4ba2-90fd-eaf54c48b940",
        "name": "138.226.246.94"
      },
      {
        "id": "220c12d3-71d2-4ada-84aa-925f5d1458f6",
        "name": "212.86.125.24"
      },
      {
        "id": "2d5b0997-9cdc-4b1b-9092-e9360b28f9ab",
        "name": "94.154.32.160"
      },
      {
        "id": "d0148fc2-5cf3-4f35-8b4a-cfdc9c17a8a4",
        "name": "213.111.148.90"
      },
      {
        "id": "d9a77c2b-8c66-4675-a80e-c3deb08a26d6",
        "name": "103.75.11.110"
      },
      {
        "id": "b22c5c5d-a4fb-4f1c-9a50-a891119ebc9c",
        "name": "103.75.11.78"
      }
    ],
    "intrusion_sets": [
      {
        "id": "079059d2-e9f0-4301-bcf3-6e0b6bf4e197",
        "name": "ShinyHunters",
        "slug": "shinyhunters"
      }
    ],
    "observables": [
      {
        "id": "cf0c4c7c-ba51-465a-960d-e89fcf0a0f30",
        "name": "103.75.11.110"
      },
      {
        "id": "dcd471d8-696a-41fb-9403-1f180fb92df6",
        "name": "94.154.32.160"
      },
      {
        "id": "a746aa0e-8b61-4296-a47e-35a47d7c851c",
        "name": "213.111.148.90"
      },
      {
        "id": "21dac428-d70f-4333-8d52-18009870fd87",
        "name": "103.75.11.78"
      },
      {
        "id": "76e86159-5247-445a-af0e-9ebbddbf6a22",
        "name": "138.226.246.94"
      },
      {
        "id": "10f07060-24f7-412f-acbd-d4e24536e91a",
        "name": "212.86.125.24"
      }
    ]
  },
  "external_refs": [
    {
      "id": "403941ec-2a6b-44c9-aea5-d3530a8d1166",
      "standard_id": "external-reference--849754d0-6fa9-594f-a39c-fbec393807cf",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.microsoft.com/en-us/security/blog/2026/07/13/defending-saas-based-applications-against-shinyhunters-oauth-abuse/",
      "hash": null,
      "external_id": null,
      "created": "2026-07-14T08:58:11.528Z",
      "modified": "2026-07-14T08:58:11.528Z",
      "createdById": null
    },
    {
      "id": "906a8a75-c84c-4874-9c56-49bbaecbff33",
      "standard_id": "external-reference--c39fb0d5-fd29-570f-bd82-ba0a3655e685",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a55a1380d4e12c0ea409b6e",
      "hash": null,
      "external_id": "6a55a1380d4e12c0ea409b6e",
      "created": "2026-07-14T08:58:11.476Z",
      "modified": "2026-07-14T08:58:11.476Z",
      "createdById": null
    }
  ]
}