Microsoft maps three attack paths in Salesforce linked to ShinyHunters

Microsoft identifies three attack paths in Salesforce that exploit OAuth, without vulnerabilities. ShinyHunters has been active for a year. Learn how to protect your

14 jul 2026 • 4 min read • Q2BSTUDIO Team

Salesforce Attacks Exploit OAuth Without Vulnerabilities

In today's enterprise cybersecurity landscape, attackers no longer need to breach complex systems from scratch. The case of ShinyHunters, a group known for extortion of data, has highlighted an alarming trend: exploiting the trust that organizations place in their integrations. Microsoft has identified three specific attack paths in Salesforce environments that this group has used, without the need to compromise the platform itself. These routes focus on the abuse of OAuth connections, a protocol designed to facilitate authentication between applications, but which when poorly managed becomes an open door for cybercriminals.

The first attack path involves the impersonation of third-party applications connected via OAuth. ShinyHunters has managed to trick administrators into authorizing malicious applications that appear to be legitimate, such as sales analytics tools or marketing integrations. Once permission is granted, attackers access sensitive data stored in Salesforce, such as customer histories, contracts, or financial information. This vector is particularly dangerous because it does not require exploiting any technical vulnerabilities; it simply takes advantage of the lack of rigorous verification of external applications.

The second route is based on the theft of OAuth tokens through phishing campaigns targeting high-privilege employees. Attackers send emails that pretend to be notifications from Salesforce or trusted vendors, requesting that the user reauthorize a connection. Upon clicking, the access token is sent directly to the server controlled by ShinyHunters, allowing them to replicate the session and move laterally within the ecosystem. This method is effective because it bypasses multi-factor authentication when tokens are already issued, and because many IT teams don't actively monitor the use of suspicious tokens.

The third path exploits misconfigurations in the integration permissions. In environments where Salesforce is connected to cloud services such as AWS or Azure, it is common for administrators to grant excessive permissions to intermediary applications to avoid operational issues. ShinyHunters scans these configurations and locates integrations with overly broad scopes, such as full access to standard objects or the ability to modify records. Once identified, they simply reuse those legitimate connections to extract data without raising suspicion. In fact, Microsoft notes that in many cases attackers don't even need to create new authorizations; it is enough for them to exploit those that already exist.

The impact of these attacks goes beyond data loss. Affected companies face regulatory fines, reputational damage, and remediation costs that can amount to millions of euros. The real challenge, however, is that the root of the problem is not in Salesforce, but in digital trust management. Organizations often focus their cybersecurity efforts on securing the perimeter, forgetting that OAuth connections are like unguarded side doors. To mitigate these risks, it is critical to implement a proactive approach that combines regular permit audits, ongoing staff training, and advanced monitoring tools.

In this context, having a technology partner that understands both security and system integration is key. At Q2BSTUDIO we offer cybersecurity and pentesting services that help identify these vulnerabilities before they are exploited. Our team analyzes OAuth configurations, assesses third-party applications, and simulates real attacks to measure infrastructure resiliency. In addition, we complement these audits with AWS and Azure cloud services, ensuring that cloud integrations are properly segmented and with the minimum privileges necessary.

Artificial intelligence also plays a growing role in detecting anomalies in authentication flows. For example, we implement AI solutions for companies that analyze token usage patterns and generate alerts when unusual behavior is detected, such as access from unexpected geographical locations or mass requests for data. These AI agents can be integrated with Power BI to provide real-time dashboards to security teams, enabling rapid incident response.

For organizations that are assessing their security posture in Salesforce, we recommend starting by inventorying all active OAuth connections. Then, review the permission scopes and narrow down those that aren't strictly necessary. It is also vital to establish a process of periodic review of third-party applications, deactivating those that are no longer used or whose origin is not verified. Finally, consider adopting bespoke software solutions that allow granular control over integrations, such as bespoke applications specifically designed to manage the lifecycle of OAuth tokens.

The case of ShinyHunters demonstrates that cybersecurity can no longer be limited to protecting the core of a platform; it must be extended to the entire ecosystem of connections. At Q2BSTUDIO, as a software and technology development company, we help companies design secure architectures from the start, integrating business intelligence and process automation services without compromising data protection. The key is to understand that every integration is a potential risk point, and that prevention is always more cost-effective than remediation.

A BREAK?

Play for a moment before you go

OUR SERVICES

How we can help you

Artificial intelligence

AI agents, chatbots, and intelligent assistants that automate tasks and serve your customers 24/7 to improve the efficiency of your business.

More info

Software Development

Web, mobile, and desktop applications, intranets, e-commerce, SaaS, and management platforms designed for your company's specific needs.

More info

Cloud services

Migration, infrastructure, managed hosting, high availability, and security on Microsoft Azure and Amazon Web Services to help your business scale without limits.

More info

Cybersecurity and pentesting

Security audits, penetration testing and protection of applications, data and infrastructure on-premise and cloud, with ethical hacking and regulatory compliance.

More info

Business Intelligence

Dashboards and data analysis with Power BI: we integrate your sources, design dashboards and KPIs and turn your data into decisions.

More info

Process automation

We automate repetitive tasks and connect your applications with n8n, Power Automate, Make, and RPA, eliminating manual work and increasing productivity.

More info

Training for Companies

We train your teams in technology with criteria: web development, databases, Git, best practices and security, automation with n8n, artificial intelligence for companies and creation of AI solutions with Azure AI Foundry.

More info

Code Auditing

We audit the code that you, your team or an AI create: we tell you what is good and what to improve, we secure it and make it ready for production, web or app.

More info

AI Image Generation

We create for you the images that your business needs with artificial intelligence: product, networks, advertising, illustration and avatars. You tell us what you want and we deliver it ready to use.

More info

AI Video Generation

We create videos with artificial intelligence for you: promotional, networking, virtual presenters, dubbing and animations. You tell us the idea and we will deliver it assembled and ready to publish.

More info

AI Conversational Avatars

We create conversational avatars with AI – digital humans with a face and voice – that serve your customers and teams with the knowledge of your company, on your website, interactive monitors, WhatsApp or Teams.

More info

Online Marketing and AI

Google Ads, Meta Ads, LinkedIn Ads and AI Engine Positioning (GEO/AEO): we attract customers and make your brand appear where they search for you, also on ChatGPT, Gemini and Perplexity.

More info

Do you have a project in mind?

Tell us your vision and we'll turn it into a software solution. Whatever the scope, we make your idea real.