If you would like to receive alerts and information on the latest vulnerabilities and threat actors via email each month, click below to subscribe to the MOXFIVE mailing list.
A sophisticated social engineering campaign is targeting major organizations by impersonating IT help desk staff to gain access to Salesforce data. The campaign is believed to be attributed to ShinyHunters. However, the tradecraft aligns with methods long associated with Scattered Spider. According to external reporting, there is a possible collaboration or overlap between the groups.
The threat actors are impersonating IT support staff in phone calls to targeted employees, instructing them to approve a connected app. The app is presented as a legitimate utility, but once authorized, it retains persistent, broad access permissions to Salesforce data. Since the approval occurs within an authenticated session, multifactor authentication (MFA) does not block the authorization. This technique exploits human trust and application permissions rather than a vulnerability in the Salesforce software.
The data obtained includes vendor and customer records that can be used for extortion, sold to other actors, or leveraged for secondary fraud such as payment redirection. This identity-focused approach relies on help desk impersonation, MFA bypass within active sessions, and session abuse, allowing threat actors to operate inside trusted systems and extract large volumes of data with limited early detection.
If you think you might be at risk from this campaign and want your environment assessed, we can assist. can help validate exposure in Salesforce, hunt for malicious connected apps, contain active sessions, and strengthen identity, help desk, and SaaS controls quickly.
MOXFIVE can help support on both the proactive and reactive side.
Proactive:
Reactive:
Need Assistance?
If you have questions or need any assistance, please contact us at 833-568-6695 or email our team at incident@moxfive.com.