A recent cybersecurity campaign has revealed that a single malicious OAuth approval can provide attackers with enduring access to sensitive Salesforce data. This method, observed between mid-2025 and mid-2026, involves exploiting trusted application connections rather than software vulnerabilities, enabling large-scale data theft and sustained access.
The attackers, associated with the group ShinyHunters, targeted organizations across various sectors, including retail, education, and manufacturing. Their strategy involved voice phishing, compromising SaaS integrations, and leveraging overly broad guest access to infiltrate Salesforce environments. By doing so, they could query customer relationship management (CRM) information and exfiltrate data without triggering typical suspicious login alerts.
Microsoft’s analysis identified this pattern as an abuse of trusted OAuth relationships. OAuth is a protocol that allows third-party applications to access user data without exposing credentials. In this case, attackers exploited the trust placed in connected applications, enabling them to operate with the same permissions as the user who approved the connection. This approach allows malicious actors to blend seamlessly into legitimate business workflows, making detection challenging.
The attack typically begins with the perpetrators impersonating IT support personnel and contacting employees via phone calls. They persuade the targets to authorize a connected application controlled by the attackers, which is disguised as a legitimate Salesforce Data Loader tool. Once the employee grants OAuth scopes to this application, the attackers gain the user’s existing privileges without needing to repeatedly request passwords.
With this access, the malicious application can enumerate Salesforce instances, execute API calls on behalf of the user, and maintain persistent access to CRM data. Since the API traffic originates from an approved application, standard sign-in monitoring systems may not flag it as suspicious. This persistent access enables attackers to collect extensive data, including accounts, contacts, and service case information. Furthermore, if the attackers discover usable credentials, they can potentially extend their reach to other SaaS services.
This technique eliminates the need for malware installation on employee devices or repeated account takeovers. Instead, it leverages a standard authorization process to establish a long-term foothold with legitimate permissions. The risk extends beyond the individual who approves the connection; Salesforce data often integrates various business functions, so broad permissions can expose a comprehensive view of an organization’s operations.
The key takeaway is that OAuth consent prompts are critical security decisions, not mere setup steps. Employees should exercise caution, especially when directed by unsolicited callers to approve applications. Organizations must implement stringent controls over OAuth approvals and educate staff on the potential risks associated with granting permissions to connected applications.
This incident underscores the evolving tactics of cyber attackers who exploit trusted relationships within organizations. It highlights the necessity for continuous vigilance and robust security protocols to safeguard sensitive data against sophisticated threats.