Find notable cyber news and cases, enriched with sources, timelines, and signals.

ShinyHunters-linked Salesforce intrusion campaign

Campaign
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

A ShinyHunters-linked campaign is abusing Salesforce trust relationships to access CRM data across retail, education, and manufacturing tenants. The operation combines vishing, stolen OAuth tokens, and misconfigured guest access to bypass normal login alarms and look like ordinary app traffic. That raises the risk of undetected data theft from over-permissioned integrations and forgotten guest roles. New detection and governance controls for connected apps are aimed at closing the gap.

Related Happenings

Google hit by network compromise

Incident
H score42 First: 14.07.2026 09:19 Last: 14.07.2026 09:19 Sources 1

How related: Google confirmed one of its own corporate Salesforce instances was hit in June 2025, with the attackers taking largely public business contact data before Google cut them off.

About this happening: **Google** confirmed a **June 2025** compromise of one **corporate Salesforce instance**, and attackers took **largely public business contact data** before access was cut off. Th...

Forg365-ForgCookie alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score37 First: 09.07.2026 17:39 Last: 09.07.2026 17:39 Sources 1

About this happening: **Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Gremlin stealer modular toolkit evolution

Malware Activity
H score21 First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
H score43 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Timeline

  1. 14.07.2026 09:19 2 articles · 3h ago

    ShinyHunters-linked Salesforce intrusion campaign

    Initial Disclosure

    In **mid-2025**, the operation opened with **vishing calls** that pushed employees to approve a malicious **OAuth connected app** impersonating Salesforce **Data Loader**. That first access let operators query CRM records and look for credentials that could unlock other SaaS environments.

    Show sources