ShinyHunters-linked Salesforce intrusion campaign
Campaign
Summary
Hide ▲
Show ▼
A ShinyHunters-linked campaign is abusing Salesforce trust relationships to access CRM data across retail, education, and manufacturing tenants. The operation combines vishing, stolen OAuth tokens, and misconfigured guest access to bypass normal login alarms and look like ordinary app traffic. That raises the risk of undetected data theft from over-permissioned integrations and forgotten guest roles. New detection and governance controls for connected apps are aimed at closing the gap.
Related Happenings
Google hit by network compromise
Incident
H score42
First: 14.07.2026 09:19
Last: 14.07.2026 09:19
Sources 1
How related:
Google confirmed one of its own corporate Salesforce instances was hit in June 2025, with the attackers taking largely public business contact data before Google cut them off.
About this happening:
**Google** confirmed a **June 2025** compromise of one **corporate Salesforce instance**, and attackers took **largely public business contact data** before access was cut off. Th...
Google hit by network compromise
IncidentHow related: Google confirmed one of its own corporate Salesforce instances was hit in June 2025, with the attackers taking largely public business contact data before Google cut them off.
About this happening: **Google** confirmed a **June 2025** compromise of one **corporate Salesforce instance**, and attackers took **largely public business contact data** before access was cut off. Th...
Forg365-ForgCookie alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score37
First: 09.07.2026 17:39
Last: 09.07.2026 17:39
Sources 1
About this happening:
**Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...
Forg365-ForgCookie alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Gremlin stealer modular toolkit evolution
Malware Activity
H score21
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
H score43
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Timeline
-
14.07.2026 09:19 2 articles · 3h ago
ShinyHunters-linked Salesforce intrusion campaign
Initial DisclosureIn **mid-2025**, the operation opened with **vishing calls** that pushed employees to approve a malicious **OAuth connected app** impersonating Salesforce **Data Loader**. That first access let operators query CRM records and look for credentials that could unlock other SaaS environments.
Show sources
- Microsoft Maps Year-Long ShinyHunters-Linked Salesforce Data Theft Across Three Paths — thehackernews.com — 14.07.2026 09:19
- Microsoft Maps Year-Long ShinyHunters-Linked Salesforce Data Theft Across Three Paths — thehackernews.com — 14.07.2026 09:19