{
  "name": "Detecting the Klue supply chain attack in Salesforce instances",
  "slug": "detecting-the-klue-supply-chain-attack-in-salesforce-instances",
  "description": "On June 11, 2026, the Icarus threat group compromised Klue's backend systems, a market intelligence platform used by hundreds of enterprises to sync competitive battlecard data with CRM environments. The attackers exploited a dormant credential from an abandoned prototype integration to harvest OAuth tokens for Salesforce and Gong. Through automated API calls using Python scripts, the group exfiltrated CRM data including business contacts, price quotes, and sales communications from multiple customer Salesforce organizations. Klue detected the anomalous activity on June 12 and revoked OAuth credentials on June 13. The attackers subsequently launched an extortion campaign starting June 16, demanding victims contact them via Session Messenger within 48 hours.",
  "published": "2026-06-22T20:21:11.668000+00:00",
  "created_at": "2026-06-23T09:20:40.523000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-23T09:20:40.523000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "crm data theft",
    "extortion campaign",
    "klue compromise",
    "oauth abuse",
    "salesforce",
    "supply chain attack"
  ],
  "tags": [],
  "related_entities": {
    "indicators": [
      {
        "id": "6ab35c71-7f8b-4ba2-90fd-eaf54c48b940",
        "name": "138.226.246.94"
      },
      {
        "id": "220c12d3-71d2-4ada-84aa-925f5d1458f6",
        "name": "212.86.125.24"
      },
      {
        "id": "2d5b0997-9cdc-4b1b-9092-e9360b28f9ab",
        "name": "94.154.32.160"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d687f18d-d626-4613-8a2a-8a30914118cf",
        "name": "Icarus",
        "slug": "icarus"
      }
    ],
    "attack_patterns": [
      {
        "id": "2ab37c37-62b9-4750-bfb0-c692ccdd36ac",
        "name": "T1114.002"
      },
      {
        "id": "e73b317e-ea92-49b4-a45d-051f7279aced",
        "name": "T1213"
      },
      {
        "id": "2f07e892-0128-454b-9413-803505e67b48",
        "name": "T1030"
      },
      {
        "id": "7e3e3784-9547-42ca-b888-482972d14be3",
        "name": "T1528"
      },
      {
        "id": "503ba2cd-0ae8-422c-8f1a-2cecb472db53",
        "name": "T1550.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "ee82762a-2958-4901-aade-341277d9b410",
        "name": "T1078.004"
      },
      {
        "id": "0a349b00-3868-4704-8f0d-6ecdd53a287b",
        "name": "T1213.002"
      },
      {
        "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7",
        "name": "T1199"
      },
      {
        "id": "7c497590-4975-4cec-b8c6-e94966b6e9c3",
        "name": "T1087.004"
      },
      {
        "id": "a831f7c4-a7f0-4243-8211-1cd44fa34fa7",
        "name": "T1020"
      },
      {
        "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2",
        "name": "T1567"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "observables": [
      {
        "id": "dcd471d8-696a-41fb-9403-1f180fb92df6",
        "name": "94.154.32.160"
      },
      {
        "id": "76e86159-5247-445a-af0e-9ebbddbf6a22",
        "name": "138.226.246.94"
      },
      {
        "id": "10f07060-24f7-412f-acbd-d4e24536e91a",
        "name": "212.86.125.24"
      }
    ]
  },
  "external_refs": [
    {
      "id": "d581a92a-c945-47ce-9541-699df8970aa6",
      "standard_id": "external-reference--4b3271f6-9cd9-594a-ba45-e6626002a86b",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a3999371eb0f2f2e3fb7f08",
      "hash": null,
      "external_id": "6a3999371eb0f2f2e3fb7f08",
      "created": "2026-06-23T09:20:40.420Z",
      "modified": "2026-06-23T09:20:40.420Z",
      "createdById": null
    },
    {
      "id": "11de368a-9476-481a-b0e4-ee6dabdc3aaf",
      "standard_id": "external-reference--e024d066-dcde-54e0-916f-3739c44b9c92",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://securitylabs.datadoghq.com/articles/detecting-the-klue-supply-chain-attack-in-salesforce/",
      "hash": null,
      "external_id": null,
      "created": "2026-06-23T09:20:40.464Z",
      "modified": "2026-06-23T09:20:40.464Z",
      "createdById": null
    }
  ]
}