In today's enterprise cybersecurity landscape, attackers no longer need to breach complex systems from scratch. The case of ShinyHunters, a group known for extortion of data, has highlighted an alarming trend: exploiting the trust that organizations place in their integrations. Microsoft has identified three specific attack paths in Salesforce environments that this group has used, without the need to compromise the platform itself. These routes focus on the abuse of OAuth connections, a protocol designed to facilitate authentication between applications, but which when poorly managed becomes an open door for cybercriminals.
The first attack path involves the impersonation of third-party applications connected via OAuth. ShinyHunters has managed to trick administrators into authorizing malicious applications that appear to be legitimate, such as sales analytics tools or marketing integrations. Once permission is granted, attackers access sensitive data stored in Salesforce, such as customer histories, contracts, or financial information. This vector is particularly dangerous because it does not require exploiting any technical vulnerabilities; it simply takes advantage of the lack of rigorous verification of external applications.
The second route is based on the theft of OAuth tokens through phishing campaigns targeting high-privilege employees. Attackers send emails that pretend to be notifications from Salesforce or trusted vendors, requesting that the user reauthorize a connection. Upon clicking, the access token is sent directly to the server controlled by ShinyHunters, allowing them to replicate the session and move laterally within the ecosystem. This method is effective because it bypasses multi-factor authentication when tokens are already issued, and because many IT teams don't actively monitor the use of suspicious tokens.
The third path exploits misconfigurations in the integration permissions. In environments where Salesforce is connected to cloud services such as AWS or Azure, it is common for administrators to grant excessive permissions to intermediary applications to avoid operational issues. ShinyHunters scans these configurations and locates integrations with overly broad scopes, such as full access to standard objects or the ability to modify records. Once identified, they simply reuse those legitimate connections to extract data without raising suspicion. In fact, Microsoft notes that in many cases attackers don't even need to create new authorizations; it is enough for them to exploit those that already exist.
The impact of these attacks goes beyond data loss. Affected companies face regulatory fines, reputational damage, and remediation costs that can amount to millions of euros. The real challenge, however, is that the root of the problem is not in Salesforce, but in digital trust management. Organizations often focus their cybersecurity efforts on securing the perimeter, forgetting that OAuth connections are like unguarded side doors. To mitigate these risks, it is critical to implement a proactive approach that combines regular permit audits, ongoing staff training, and advanced monitoring tools.
In this context, having a technology partner that understands both security and system integration is key. At Q2BSTUDIO we offer cybersecurity and pentesting services that help identify these vulnerabilities before they are exploited. Our team analyzes OAuth configurations, assesses third-party applications, and simulates real attacks to measure infrastructure resiliency. In addition, we complement these audits with AWS and Azure cloud services, ensuring that cloud integrations are properly segmented and with the minimum privileges necessary.
Artificial intelligence also plays a growing role in detecting anomalies in authentication flows. For example, we implement AI solutions for companies that analyze token usage patterns and generate alerts when unusual behavior is detected, such as access from unexpected geographical locations or mass requests for data. These AI agents can be integrated with Power BI to provide real-time dashboards to security teams, enabling rapid incident response.
For organizations that are assessing their security posture in Salesforce, we recommend starting by inventorying all active OAuth connections. Then, review the permission scopes and narrow down those that aren't strictly necessary. It is also vital to establish a process of periodic review of third-party applications, deactivating those that are no longer used or whose origin is not verified. Finally, consider adopting bespoke software solutions that allow granular control over integrations, such as bespoke applications specifically designed to manage the lifecycle of OAuth tokens.
The case of ShinyHunters demonstrates that cybersecurity can no longer be limited to protecting the core of a platform; it must be extended to the entire ecosystem of connections. At Q2BSTUDIO, as a software and technology development company, we help companies design secure architectures from the start, integrating business intelligence and process automation services without compromising data protection. The key is to understand that every integration is a potential risk point, and that prevention is always more cost-effective than remediation.


.jpg)
.jpg)