Social engineering vishing attack illustration showing employee on phone with cybercriminal exploiting OAuth security vulnerability

Salesforce Customers Fall Victim as ShinyHunters and Scattered Spider Join Forces

Identity-Based Attacks Bypass Technical Controls Through Human Manipulation

A coordinated social engineering campaign targeting Salesforce customers has exposed critical vulnerabilities in how enterprises secure their SaaS environments, demonstrating that authenticated users can become the most effective attack vector when manipulated by sophisticated threat actors.

The campaign, executed through an apparent collaboration between the established data extortion group ShinyHunters and social engineering specialists Scattered Spider (also known as UNC3944), has compromised dozens of high-profile organizations including Google, Cisco, LVMH brands, and Qantas. The attackers gained access to customer relationship management data by exploiting OAuth-based authorization for Salesforce Connected Apps through meticulously planned voice phishing attacks.

Table of contents

The Technical Exploit: Weaponizing Trust

The attack methodology reveals a sophisticated understanding of modern identity protocols and their inherent trust assumptions. Rather than exploiting a technical vulnerability, attackers placed vishing calls impersonating IT support staff, guiding employees to navigate to Salesforce’s connected app setup page where they would enter an 8-digit code provided by the attacker.

OAuth vishing attack flow diagram showing 6-step Salesforce Connected App exploitation methodology bypassing MFA authentication
Six-step vishing attack methodology that bypasses MFA by targeting post-authentication OAuth flows rather than login credentials.

This action triggered an OAuth 2.0 authorization flow for a malicious Connected App controlled by the threat actors, granting them persistent API access tokens with the same permissions as the authorizing user. The brilliance lies in bypassing multi-factor authentication entirely—the attack targeted post-authentication administrative actions rather than the login event itself.

The attackers likely created malicious desktop applications that impersonated legitimate Salesforce tools like Data Loader, reusing the same client IDs and redirect URIs as official applications to make authorization requests appear routine. This technique defeated app allowlisting controls, as security systems perceived the requests as coming from trusted, pre-approved applications.

A Criminal Partnership Emerges

The campaign represents a significant evolution in cybercrime organization. Both groups are believed to have connections to “The Community” or “The Com,” a loose collective of young, technically savvy English-speaking individuals operating through platforms like Telegram and Discord.

Scattered Spider ShinyHunters partnership diagram showing Crime-as-a-Service model and vishing attack timeline
Threat actor collaboration model showing how “The Com” collective coordinates Access-as-a-Service with Extortion-as-a-Service capabilities.

ShinyHunters, known since 2020 for large-scale data breaches and dark web data sales, traditionally relied on technical exploits. Scattered Spider, which emerged in 2022, specialized in social engineering, particularly targeting IT help desks through vishing, SIM swapping, and MFA fatigue attacks.

The partnership appears modular: Scattered Spider provides “access-as-a-service” through their proven vishing playbook, while ShinyHunters leverages its “extortion-as-a-service” infrastructure for monetization. Forensic analysis revealed phishing domains following patterns previously attributed to Scattered Spider, with shared registry details indicating coordinated infrastructure.

Delayed Extortion Model Maximizes Pressure

The monetization strategy employed delayed extortion, with attackers waiting weeks or months after initial data theft before contacting victims with ransom demands ranging from 4 to 20 Bitcoin. Non-compliant victims were publicly named on Telegram channels where data samples were leaked, creating immense reputational pressure.

While victims emphasized that compromised data was limited to business contact information rather than sensitive financial or health records, this curated contact data provides high-quality lead lists for future criminal operations including spear phishing and business email compromise.

Salesforce’s Response and Industry Implications

Salesforce has maintained that the incidents resulted from social engineering rather than platform vulnerabilities, issuing security advisories directing customers to review best practices including enabling MFA, enforcing least privilege, and managing Connected Applications.

The campaign validates a fundamental shift in the threat landscape. As organizations migrate to cloud and SaaS platforms, identity has replaced the network as the primary security perimeter. The 2024 Verizon Data Breach Investigations Report found nearly 40% of intrusions involved compromised credentials, underscoring the dominance of identity-based attacks.

Critical Mitigation Strategies

Security experts recommend immediate tactical actions:

Organizations should restrict Connected App authorization permissions to a small group of vetted administrators and enable API Access Control, which blocks all API access from applications not explicitly approved by administrators.

IT help desk protocols must include strict identity verification procedures with multi-channel verification, such as callbacks to pre-registered numbers. Security awareness programs must evolve beyond generic phishing training to include scenario-based vishing simulations.

Salesforce security defense strategy diagram showing technical process human controls and SSPM implementation against vishing attacks
Multi-layer defense strategy required to protect against identity-based attacks that exploit post-authentication administrative actions.

Strategically, enterprises need comprehensive SaaS Security Posture Management (SSPM) solutions to maintain visibility across their entire SaaS portfolio. SSPM tools provide centralized monitoring of security configurations, detecting misconfigurations and ensuring compliance alignment. These include AutoRABIT Guard and AppOmni.

The Salesforce vishing campaign demonstrates that securing modern enterprises requires more than technical controls. Organizations must address the “trust seam” between authenticated users and the systems they access, implementing continuous verification even for trusted identities. As threat actors increasingly collaborate and specialize, defenders must adopt equally sophisticated, multi-layered security strategies that protect both the technical infrastructure and the humans who operate it.

The lesson is clear: in the age of SaaS and cloud, the most critical vulnerability isn’t in the code—it’s in the gap between human trust and system security.

For More Information

To learn more about the threat actors, their techniques, and how to secure your Salesforce environment, we recommend the following resources:

  1. Google Cloud (Mandiant): It’s Not a Shiny New Thing: Threat Actor Abuses Salesforce and Slack for Data Extortion – A detailed technical analysis of the vishing campaign and the abuse of Salesforce’s OAuth2 flows for data exfiltration.
  2. CISA Advisory: Scattered Spider – The official advisory from the Cybersecurity & Infrastructure Security Agency detailing the Tactics, Techniques, and Procedures (TTPs) of the Scattered Spider threat actor group.
  3. Salesforce Security: Protect Your Salesforce Org Against Phishing and Malware – Salesforce’s official guidance on securing connected apps and protecting against social engineering tactics.
  4. ReliaQuest: Threat Spotlight: ShinyHunters Data Breach Targets Salesforce Amid Scattered Spider Collaboration – An excellent overview connecting the activities of ShinyHunters and Scattered Spider in these campaigns.
  5. Varonis: Scattered Spider (UNC3944): The Elusive and Dangerous Threat Actor – A deep dive into the history, motivations, and evolving TTPs of the Scattered Spider group.
  6. Salesforce Help: Manage OAuth-Enabled Connected Apps – Direct documentation from Salesforce on how to audit, manage, and control API access for connected applications.
  7. BankInfoSecurity: Scattered Spider and ShinyHunters’ Next Move: Leaking Data – Reporting on the extortion phase of the attacks and the tactics used to pressure victims.
  8. Quorum Cyber: Scattered Spider: Threat Actor Profile – A concise and informative profile summarizing the key characteristics and attack methods of Scattered Spider.
  9. Infosecurity Magazine: Google Details Salesforce Data Theft Campaign – News coverage summarizing the initial findings from Google’s threat intelligence team.
  10. Cyble: Scattered Spider Threat Actor Profile – Additional threat intelligence providing context on the group’s past activities and targets.

Related Posts

Post
Filter
Apply Filters
Close