{"id":40696,"date":"2025-08-17T08:53:43","date_gmt":"2025-08-17T15:53:43","guid":{"rendered":"https:\/\/salesforcedevops.net\/?p=40696"},"modified":"2025-08-17T08:53:47","modified_gmt":"2025-08-17T15:53:47","slug":"salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces","status":"publish","type":"post","link":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/","title":{"rendered":"Salesforce Customers Fall Victim as ShinyHunters and Scattered Spider Join Forces"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><em>Identity-Based Attacks Bypass Technical Controls Through Human Manipulation<\/em><\/p>\n\n\n\n<p class=\"has-drop-cap wp-block-paragraph\">A coordinated social engineering campaign targeting Salesforce customers has exposed critical vulnerabilities in how enterprises secure their SaaS environments, demonstrating that authenticated users can become the most effective attack vector when manipulated by sophisticated threat actors.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The campaign, executed through an apparent collaboration between the established data extortion group ShinyHunters and social engineering specialists Scattered Spider (also known as UNC3944), has compromised dozens of high-profile organizations including Google, Cisco, LVMH brands, and Qantas. The attackers gained access to customer relationship management data by exploiting OAuth-based authorization for Salesforce Connected Apps through meticulously planned voice phishing attacks.<\/p>\n\n\n\n<div class=\"wp-block-yoast-seo-table-of-contents yoast-table-of-contents\"><h2>Table of contents<\/h2><ul><li><a href=\"#h-the-technical-exploit-weaponizing-trust\" data-level=\"2\">The Technical Exploit: Weaponizing Trust<\/a><\/li><li><a href=\"#h-a-criminal-partnership-emerges\" data-level=\"2\">A Criminal Partnership Emerges<\/a><\/li><li><a href=\"#h-delayed-extortion-model-maximizes-pressure\" data-level=\"2\">Delayed Extortion Model Maximizes Pressure<\/a><\/li><li><a href=\"#h-salesforce-s-response-and-industry-implications\" data-level=\"2\">Salesforce&#8217;s Response and Industry Implications<\/a><\/li><li><a href=\"#h-critical-mitigation-strategies\" data-level=\"2\">Critical Mitigation Strategies<\/a><\/li><li><a href=\"#h-for-more-information\" data-level=\"2\">For More Information<\/a><\/li><\/ul><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-technical-exploit-weaponizing-trust\">The Technical Exploit: Weaponizing Trust<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The attack methodology reveals a sophisticated understanding of modern identity protocols and their inherent trust assumptions. Rather than exploiting a technical vulnerability, attackers placed vishing calls impersonating IT support staff, guiding employees to navigate to Salesforce&#8217;s connected app setup page where they would enter an 8-digit code provided by the attacker.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-2-scaled.png\"><img decoding=\"async\" width=\"1024\" height=\"639\" data-src=\"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-2-1024x639.png\" alt=\"OAuth vishing attack flow diagram showing 6-step Salesforce Connected App exploitation methodology bypassing MFA authentication\" class=\"wp-image-40700 lazyload\" data-srcset=\"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-2-1024x639.png 1024w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-2-300x187.png 300w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-2-768x479.png 768w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-2-1536x958.png 1536w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-2-2048x1278.png 2048w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-2-scaled.png 1200w\" data-sizes=\"(max-width: 1024px) 100vw, 1024px\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" style=\"--smush-placeholder-width: 1024px; --smush-placeholder-aspect-ratio: 1024\/639;\" \/><\/a><figcaption class=\"wp-element-caption\"><em>Six-step vishing attack methodology that bypasses MFA by targeting post-authentication OAuth flows rather than login credentials.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This action triggered an OAuth 2.0 authorization flow for a malicious Connected App controlled by the threat actors, granting them persistent API access tokens with the same permissions as the authorizing user. The brilliance lies in bypassing multi-factor authentication entirely\u2014the attack targeted post-authentication administrative actions rather than the login event itself.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The attackers likely created malicious desktop applications that impersonated legitimate Salesforce tools like Data Loader, reusing the same client IDs and redirect URIs as official applications to make authorization requests appear routine. This technique defeated app allowlisting controls, as security systems perceived the requests as coming from trusted, pre-approved applications.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-a-criminal-partnership-emerges\">A Criminal Partnership Emerges<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The campaign represents a significant evolution in cybercrime organization. Both groups are believed to have connections to &#8220;The Community&#8221; or &#8220;The Com,&#8221; a loose collective of young, technically savvy English-speaking individuals operating through platforms like Telegram and Discord.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-1-scaled.png\"><img decoding=\"async\" width=\"1024\" height=\"777\" data-src=\"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-1-1024x777.png\" alt=\"Scattered Spider ShinyHunters partnership diagram showing Crime-as-a-Service model and vishing attack timeline\" class=\"wp-image-40698 lazyload\" data-srcset=\"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-1-1024x777.png 1024w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-1-300x228.png 300w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-1-768x583.png 768w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-1-1536x1165.png 1536w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-1-2048x1554.png 2048w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-1-scaled.png 890w\" data-sizes=\"(max-width: 1024px) 100vw, 1024px\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" style=\"--smush-placeholder-width: 1024px; --smush-placeholder-aspect-ratio: 1024\/777;\" \/><\/a><figcaption class=\"wp-element-caption\"><em>Threat actor collaboration model showing how &#8220;The Com&#8221; collective coordinates Access-as-a-Service with Extortion-as-a-Service capabilities.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">ShinyHunters, known since 2020 for large-scale data breaches and dark web data sales, traditionally relied on technical exploits. Scattered Spider, which emerged in 2022, specialized in social engineering, particularly targeting IT help desks through vishing, SIM swapping, and MFA fatigue attacks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The partnership appears modular: Scattered Spider provides &#8220;access-as-a-service&#8221; through their proven vishing playbook, while ShinyHunters leverages its &#8220;extortion-as-a-service&#8221; infrastructure for monetization. Forensic analysis revealed phishing domains following patterns previously attributed to Scattered Spider, with shared registry details indicating coordinated infrastructure.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-delayed-extortion-model-maximizes-pressure\">Delayed Extortion Model Maximizes Pressure<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The monetization strategy employed delayed extortion, with attackers waiting weeks or months after initial data theft before contacting victims with ransom demands ranging from 4 to 20 Bitcoin. Non-compliant victims were publicly named on Telegram channels where data samples were leaked, creating immense reputational pressure.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While victims emphasized that compromised data was limited to business contact information rather than sensitive financial or health records, this curated contact data provides high-quality lead lists for future criminal operations including spear phishing and business email compromise.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-salesforce-s-response-and-industry-implications\">Salesforce&#8217;s Response and Industry Implications<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Salesforce has maintained that the incidents resulted from social engineering rather than platform vulnerabilities, issuing security advisories directing customers to review best practices including enabling MFA, enforcing least privilege, and managing Connected Applications.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The campaign validates a fundamental shift in the threat landscape. As organizations migrate to cloud and SaaS platforms, identity has replaced the network as the primary security perimeter. The 2024 Verizon Data Breach Investigations Report found nearly 40% of intrusions involved compromised credentials, underscoring the dominance of identity-based attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-critical-mitigation-strategies\">Critical Mitigation Strategies<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Security experts recommend immediate tactical actions:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Organizations should restrict Connected App authorization permissions to a small group of vetted administrators and enable API Access Control, which blocks all API access from applications not explicitly approved by administrators.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">IT help desk protocols must include strict identity verification procedures with multi-channel verification, such as callbacks to pre-registered numbers. Security awareness programs must evolve beyond generic phishing training to include scenario-based vishing simulations.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-3-scaled.png\"><img decoding=\"async\" width=\"1024\" height=\"957\" data-src=\"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-3-1024x957.png\" alt=\"Salesforce security defense strategy diagram showing technical process human controls and SSPM implementation against vishing attacks\" class=\"wp-image-40701 lazyload\" data-srcset=\"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-3-1024x957.png 1024w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-3-300x280.png 300w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-3-768x718.png 768w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-3-1536x1436.png 1536w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-3-2048x1915.png 2048w, https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/image-3-scaled.png 722w\" data-sizes=\"(max-width: 1024px) 100vw, 1024px\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" style=\"--smush-placeholder-width: 1024px; --smush-placeholder-aspect-ratio: 1024\/957;\" \/><\/a><figcaption class=\"wp-element-caption\"><em>Multi-layer defense strategy required to protect against identity-based attacks that exploit post-authentication administrative actions.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Strategically, enterprises need comprehensive SaaS Security Posture Management (SSPM) solutions to maintain visibility across their entire SaaS portfolio. SSPM tools provide centralized monitoring of security configurations, detecting misconfigurations and ensuring compliance alignment. These include <a href=\"https:\/\/www.autorabit.com\/products\/guard-security-posture-management\/\">AutoRABIT Guard<\/a> and <a href=\"https:\/\/appomni.com\/\">AppOmni<\/a>. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Salesforce vishing campaign demonstrates that securing modern enterprises requires more than technical controls. Organizations must address the &#8220;trust seam&#8221; between authenticated users and the systems they access, implementing continuous verification even for trusted identities. As threat actors increasingly collaborate and specialize, defenders must adopt equally sophisticated, multi-layered security strategies that protect both the technical infrastructure and the humans who operate it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The lesson is clear: in the age of SaaS and cloud, the most critical vulnerability isn&#8217;t in the code\u2014it&#8217;s in the gap between human trust and system security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-for-more-information\">For More Information<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To learn more about the threat actors, their techniques, and how to secure your Salesforce environment, we recommend the following resources:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Google Cloud (Mandiant):<\/strong> <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/voice-phishing-data-extortion\" target=\"_blank\" rel=\"noreferrer noopener\">It\u2019s Not a Shiny New Thing: Threat Actor Abuses Salesforce and Slack for Data Extortion<\/a> &#8211; A detailed technical analysis of the vishing campaign and the abuse of Salesforce&#8217;s OAuth2 flows for data exfiltration.<\/li>\n\n\n\n<li><strong>CISA Advisory:<\/strong> <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-320a\" target=\"_blank\" rel=\"noreferrer noopener\">Scattered Spider<\/a> &#8211; The official advisory from the Cybersecurity &amp; Infrastructure Security Agency detailing the Tactics, Techniques, and Procedures (TTPs) of the Scattered Spider threat actor group.<\/li>\n\n\n\n<li><strong>Salesforce Security:<\/strong> <a href=\"https:\/\/help.salesforce.com\/s\/articleView?id=000393223&amp;type=1\" target=\"_blank\" rel=\"noreferrer noopener\">Protect Your Salesforce Org Against Phishing and Malware<\/a> &#8211; Salesforce&#8217;s official guidance on securing connected apps and protecting against social engineering tactics.<\/li>\n\n\n\n<li><strong>ReliaQuest:<\/strong> <a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Spotlight: ShinyHunters Data Breach Targets Salesforce Amid Scattered Spider Collaboration<\/a> &#8211; An excellent overview connecting the activities of ShinyHunters and Scattered Spider in these campaigns.<\/li>\n\n\n\n<li><strong>Varonis:<\/strong> <a href=\"https:\/\/www.varonis.com\/blog\/scattered-spider\" target=\"_blank\" rel=\"noreferrer noopener\">Scattered Spider (UNC3944): The Elusive and Dangerous Threat Actor<\/a> &#8211; A deep dive into the history, motivations, and evolving TTPs of the Scattered Spider group.<\/li>\n\n\n\n<li><strong>Salesforce Help:<\/strong> <a href=\"https:\/\/www.google.com\/search?q=https:\/\/help.salesforce.com\/s\/articleView%3Fid%3Dsf.connected_app_manage_oauth.htm%26type%3D5\" target=\"_blank\" rel=\"noreferrer noopener\">Manage OAuth-Enabled Connected Apps<\/a> &#8211; Direct documentation from Salesforce on how to audit, manage, and control API access for connected applications.<\/li>\n\n\n\n<li><strong>BankInfoSecurity:<\/strong> <a href=\"https:\/\/www.bankinfosecurity.com\/scattered-spider-shinyhunters-next-move-leaking-data-a-29170\" target=\"_blank\" rel=\"noreferrer noopener\">Scattered Spider and ShinyHunters&#8217; Next Move: Leaking Data<\/a> &#8211; Reporting on the extortion phase of the attacks and the tactics used to pressure victims.<\/li>\n\n\n\n<li><strong>Quorum Cyber:<\/strong> <a href=\"https:\/\/www.quorumcyber.com\/threat-actors\/scattered-spider-threat-actor-profile\/\" target=\"_blank\" rel=\"noreferrer noopener\">Scattered Spider: Threat Actor Profile<\/a> &#8211; A concise and informative profile summarizing the key characteristics and attack methods of Scattered Spider.<\/li>\n\n\n\n<li><strong>Infosecurity Magazine:<\/strong> <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/google-salesforce-data-theft\/\" target=\"_blank\" rel=\"noreferrer noopener\">Google Details Salesforce Data Theft Campaign<\/a> &#8211; News coverage summarizing the initial findings from Google&#8217;s threat intelligence team.<\/li>\n\n\n\n<li><strong>Cyble:<\/strong> <a href=\"https:\/\/cyble.com\/threat-actor-profiles\/scattered-spider\/\" target=\"_blank\" rel=\"noreferrer noopener\">Scattered Spider Threat Actor Profile<\/a> &#8211; Additional threat intelligence providing context on the group&#8217;s past activities and targets.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<ul class=\"wp-block-yoast-seo-related-links yoast-seo-related-links\">\n<li><a href=\"https:\/\/salesforcedevops.net\/index.php\/2024\/01\/16\/the-transformative-power-of-ai-driven-salesforce-administration\/\">The Transformative Power of AI-Driven Salesforce Administration<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/salesforcedevops.net\/index.php\/2025\/03\/10\/inside-tdx-2025\/\">Inside TDX 2025: Agentforce Evolution and the Community Adoption Challenge<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/salesforcedevops.net\/index.php\/2021\/07\/03\/revil-ransomware-exploits-it-service-providers-on-4th-of-july-weekend\/\">REvil Ransomware Exploits IT Service Providers on 4th of July Weekend<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/salesforcedevops.net\/index.php\/2023\/01\/23\/salesforce-devops-outlook-2023\/\">Salesforce Devops Outlook 2023: We are Just Getting Started<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/salesforcedevops.net\/index.php\/2021\/12\/27\/salesforce-cybersecurity-solutions-2021\/\">Salesforce Cybersecurity Solutions 2021<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Identity-Based Attacks Bypass Technical Controls Through Human Manipulation A coordinated social engineering campaign targeting Salesforce customers has exposed critical vulnerabilities in how enterprises secure their SaaS environments, demonstrating that authenticated&hellip;<\/p>\n","protected":false},"author":1,"featured_media":40702,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","footnotes":""},"categories":[6],"tags":[2073,2072,2074,2071,2075],"post_series":[],"class_list":["post-40696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-connected-apps-security","tag-salesforce-oauth-vulnerability","tag-scattered-spider-unc3944","tag-shinyhunters-data-breach","tag-sspm-implementation","entry","has-media"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.8) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Salesforce Customers Fall Victim as ShinyHunters and Scattered Spider Join Forces - SalesforceDevops.net<\/title>\n<meta name=\"description\" content=\"ShinyHunters and Scattered Spider exploit Salesforce OAuth flows through sophisticated vishing campaigns, bypassing MFA to steal CRM data.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Salesforce Customers Fall Victim as ShinyHunters and Scattered Spider Join Forces - SalesforceDevops.net\" \/>\n<meta property=\"og:description\" content=\"ShinyHunters and Scattered Spider exploit Salesforce OAuth flows through sophisticated vishing campaigns, bypassing MFA to steal CRM data.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/\" \/>\n<meta property=\"og:site_name\" content=\"SalesforceDevops.net\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/salesforcedevopsnet\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-17T15:53:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-17T15:53:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"675\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Vernon Keenan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@salesforcedevop\" \/>\n<meta name=\"twitter:site\" content=\"@salesforcedevop\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Vernon Keenan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/2025\\\/08\\\/17\\\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/2025\\\/08\\\/17\\\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\\\/\"},\"author\":{\"name\":\"Vernon Keenan\",\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/#\\\/schema\\\/person\\\/f681893c994bc40406bb391546cd7ac8\"},\"headline\":\"Salesforce Customers Fall Victim as ShinyHunters and Scattered Spider Join Forces\",\"datePublished\":\"2025-08-17T15:53:43+00:00\",\"dateModified\":\"2025-08-17T15:53:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/2025\\\/08\\\/17\\\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\\\/\"},\"wordCount\":1163,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/2025\\\/08\\\/17\\\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/salesforcedevops.net\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/vphishing-cover.jpg\",\"keywords\":[\"Connected Apps security\",\"Salesforce OAuth vulnerability\",\"Scattered Spider UNC3944\",\"ShinyHunters data breach\",\"SSPM implementation\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/2025\\\/08\\\/17\\\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\\\/#respond\"]}],\"copyrightYear\":\"2025\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/#organization\"},\"accessibilityFeature\":[\"tableOfContents\"]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/2025\\\/08\\\/17\\\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\\\/\",\"url\":\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/2025\\\/08\\\/17\\\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\\\/\",\"name\":\"Salesforce Customers Fall Victim as ShinyHunters and Scattered Spider Join Forces - SalesforceDevops.net\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/2025\\\/08\\\/17\\\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/2025\\\/08\\\/17\\\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/salesforcedevops.net\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/vphishing-cover.jpg\",\"datePublished\":\"2025-08-17T15:53:43+00:00\",\"dateModified\":\"2025-08-17T15:53:47+00:00\",\"description\":\"ShinyHunters and Scattered Spider exploit Salesforce OAuth flows through sophisticated vishing campaigns, bypassing MFA to steal CRM data.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/2025\\\/08\\\/17\\\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/2025\\\/08\\\/17\\\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\\\/#primaryimage\",\"url\":\"https:\\\/\\\/salesforcedevops.net\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/vphishing-cover.jpg\",\"contentUrl\":\"https:\\\/\\\/salesforcedevops.net\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/vphishing-cover.jpg\",\"width\":1200,\"height\":675,\"caption\":\"Social engineering vishing attack illustration showing employee on phone with cybercriminal exploiting OAuth security vulnerability\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/#website\",\"url\":\"https:\\\/\\\/salesforcedevops.net\\\/\",\"name\":\"SalesforceDevops.net\",\"description\":\"Elevating Salesforce Devops with Insights and Innovation\",\"publisher\":{\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/salesforcedevops.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/#organization\",\"name\":\"SalesforceDevops.net\",\"url\":\"https:\\\/\\\/salesforcedevops.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/salesforcedevops.net\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/7760e9c16fc75961659174739887197e-sticker.png\",\"contentUrl\":\"https:\\\/\\\/salesforcedevops.net\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/7760e9c16fc75961659174739887197e-sticker.png\",\"width\":421,\"height\":421,\"caption\":\"SalesforceDevops.net\"},\"image\":{\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/salesforcedevopsnet\",\"https:\\\/\\\/x.com\\\/salesforcedevop\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/vernonkeenan\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCOgOn9rD5gyXSOmV7-Q0n7g\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/salesforcedevops.net\\\/#\\\/schema\\\/person\\\/f681893c994bc40406bb391546cd7ac8\",\"name\":\"Vernon Keenan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f1183f1ebb5c059e052825760f95b25244abc5ef832145327f298f3697f980c7?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f1183f1ebb5c059e052825760f95b25244abc5ef832145327f298f3697f980c7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f1183f1ebb5c059e052825760f95b25244abc5ef832145327f298f3697f980c7?s=96&d=mm&r=g\",\"caption\":\"Vernon Keenan\"},\"description\":\"Vernon Keenan (LinkedIn) works as a senior information technology industry consultant based in Oakland, California. He earned his B.Sc. in Biomedical Engineering at Northwestern University where he programmed a PDP-8 with punched paper tape. In his 34-year-long career he has been a teacher, SPSS programmer, database administrator, clinical researcher, technology journalist, product marketing manager, market researcher, management consultant, and industry analyst. Most recently he is a telecom operator, cloud architect, Go devops engineer and Salesforce Developer\\\/Architect. For inquiries about Salesforce strategy briefings or solution architect work please contact Vern directly at +1-510-679-1900 or vern@vernonkeenan.com.\",\"sameAs\":[\"https:\\\/\\\/ceres-gw.tnxs.net\",\"https:\\\/\\\/linkedin.com\\\/in\\\/vernonkeenan\",\"https:\\\/\\\/x.com\\\/salesforcedevop\"],\"url\":\"https:\\\/\\\/salesforcedevops.net\\\/index.php\\\/author\\\/vern\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Salesforce Customers Fall Victim as ShinyHunters and Scattered Spider Join Forces - SalesforceDevops.net","description":"ShinyHunters and Scattered Spider exploit Salesforce OAuth flows through sophisticated vishing campaigns, bypassing MFA to steal CRM data.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/","og_locale":"en_US","og_type":"article","og_title":"Salesforce Customers Fall Victim as ShinyHunters and Scattered Spider Join Forces - SalesforceDevops.net","og_description":"ShinyHunters and Scattered Spider exploit Salesforce OAuth flows through sophisticated vishing campaigns, bypassing MFA to steal CRM data.","og_url":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/","og_site_name":"SalesforceDevops.net","article_publisher":"https:\/\/www.facebook.com\/salesforcedevopsnet","article_published_time":"2025-08-17T15:53:43+00:00","article_modified_time":"2025-08-17T15:53:47+00:00","og_image":[{"width":1200,"height":675,"url":"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg","type":"image\/jpeg"}],"author":"Vernon Keenan","twitter_card":"summary_large_image","twitter_creator":"@salesforcedevop","twitter_site":"@salesforcedevop","twitter_misc":{"Written by":"Vernon Keenan","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/#article","isPartOf":{"@id":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/"},"author":{"name":"Vernon Keenan","@id":"https:\/\/salesforcedevops.net\/#\/schema\/person\/f681893c994bc40406bb391546cd7ac8"},"headline":"Salesforce Customers Fall Victim as ShinyHunters and Scattered Spider Join Forces","datePublished":"2025-08-17T15:53:43+00:00","dateModified":"2025-08-17T15:53:47+00:00","mainEntityOfPage":{"@id":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/"},"wordCount":1163,"commentCount":0,"publisher":{"@id":"https:\/\/salesforcedevops.net\/#organization"},"image":{"@id":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/#primaryimage"},"thumbnailUrl":"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg","keywords":["Connected Apps security","Salesforce OAuth vulnerability","Scattered Spider UNC3944","ShinyHunters data breach","SSPM implementation"],"articleSection":["Cybersecurity"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/#respond"]}],"copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/salesforcedevops.net\/#organization"},"accessibilityFeature":["tableOfContents"]},{"@type":"WebPage","@id":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/","url":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/","name":"Salesforce Customers Fall Victim as ShinyHunters and Scattered Spider Join Forces - SalesforceDevops.net","isPartOf":{"@id":"https:\/\/salesforcedevops.net\/#website"},"primaryImageOfPage":{"@id":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/#primaryimage"},"image":{"@id":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/#primaryimage"},"thumbnailUrl":"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg","datePublished":"2025-08-17T15:53:43+00:00","dateModified":"2025-08-17T15:53:47+00:00","description":"ShinyHunters and Scattered Spider exploit Salesforce OAuth flows through sophisticated vishing campaigns, bypassing MFA to steal CRM data.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/salesforcedevops.net\/index.php\/2025\/08\/17\/salesforce-customers-fall-victim-as-shinyhunters-and-scattered-spider-join-forces\/#primaryimage","url":"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg","contentUrl":"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg","width":1200,"height":675,"caption":"Social engineering vishing attack illustration showing employee on phone with cybercriminal exploiting OAuth security vulnerability"},{"@type":"WebSite","@id":"https:\/\/salesforcedevops.net\/#website","url":"https:\/\/salesforcedevops.net\/","name":"SalesforceDevops.net","description":"Elevating Salesforce Devops with Insights and Innovation","publisher":{"@id":"https:\/\/salesforcedevops.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/salesforcedevops.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/salesforcedevops.net\/#organization","name":"SalesforceDevops.net","url":"https:\/\/salesforcedevops.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/salesforcedevops.net\/#\/schema\/logo\/image\/","url":"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2021\/03\/7760e9c16fc75961659174739887197e-sticker.png","contentUrl":"https:\/\/salesforcedevops.net\/wp-content\/uploads\/2021\/03\/7760e9c16fc75961659174739887197e-sticker.png","width":421,"height":421,"caption":"SalesforceDevops.net"},"image":{"@id":"https:\/\/salesforcedevops.net\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/salesforcedevopsnet","https:\/\/x.com\/salesforcedevop","https:\/\/www.linkedin.com\/in\/vernonkeenan","https:\/\/www.youtube.com\/channel\/UCOgOn9rD5gyXSOmV7-Q0n7g"]},{"@type":"Person","@id":"https:\/\/salesforcedevops.net\/#\/schema\/person\/f681893c994bc40406bb391546cd7ac8","name":"Vernon Keenan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f1183f1ebb5c059e052825760f95b25244abc5ef832145327f298f3697f980c7?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f1183f1ebb5c059e052825760f95b25244abc5ef832145327f298f3697f980c7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f1183f1ebb5c059e052825760f95b25244abc5ef832145327f298f3697f980c7?s=96&d=mm&r=g","caption":"Vernon Keenan"},"description":"Vernon Keenan (LinkedIn) works as a senior information technology industry consultant based in Oakland, California. He earned his B.Sc. in Biomedical Engineering at Northwestern University where he programmed a PDP-8 with punched paper tape. In his 34-year-long career he has been a teacher, SPSS programmer, database administrator, clinical researcher, technology journalist, product marketing manager, market researcher, management consultant, and industry analyst. Most recently he is a telecom operator, cloud architect, Go devops engineer and Salesforce Developer\/Architect. For inquiries about Salesforce strategy briefings or solution architect work please contact Vern directly at +1-510-679-1900 or vern@vernonkeenan.com.","sameAs":["https:\/\/ceres-gw.tnxs.net","https:\/\/linkedin.com\/in\/vernonkeenan","https:\/\/x.com\/salesforcedevop"],"url":"https:\/\/salesforcedevops.net\/index.php\/author\/vern\/"}]}},"uagb_featured_image_src":{"full":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg",1200,675,false],"thumbnail":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover-150x150.jpg",150,150,true],"medium":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover-300x169.jpg",300,169,true],"medium_large":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover-768x432.jpg",768,432,true],"large":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover-1024x576.jpg",980,551,true],"1536x1536":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg",1200,675,false],"2048x2048":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg",1200,675,false],"lightbox":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg",1200,675,false],"search_results":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover-125x125.jpg",125,125,true],"blog_entry":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg",750,422,false],"blog_post":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg",750,422,false],"blog_post_full":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg",1200,675,false],"blog_related":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg",1200,675,false],"gallery":["https:\/\/salesforcedevops.net\/wp-content\/uploads\/2025\/08\/vphishing-cover.jpg",1200,675,false]},"uagb_author_info":{"display_name":"Vernon Keenan","author_link":"https:\/\/salesforcedevops.net\/index.php\/author\/vern\/"},"uagb_comment_info":0,"uagb_excerpt":"Identity-Based Attacks Bypass Technical Controls Through Human Manipulation A coordinated social engineering campaign targeting Salesforce customers has exposed critical vulnerabilities in how enterprises secure their SaaS environments, demonstrating that authenticated&hellip;","_links":{"self":[{"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/posts\/40696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/comments?post=40696"}],"version-history":[{"count":4,"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/posts\/40696\/revisions"}],"predecessor-version":[{"id":40705,"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/posts\/40696\/revisions\/40705"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/media\/40702"}],"wp:attachment":[{"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/media?parent=40696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/categories?post=40696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/tags?post=40696"},{"taxonomy":"post_series","embeddable":true,"href":"https:\/\/salesforcedevops.net\/index.php\/wp-json\/wp\/v2\/post_series?post=40696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}