Salesforce CRM OAuth Exploitation Campaign
This attack flow maps a sophisticated social engineering campaign by ShinyHunters and Scattered Spider targeting major corporations including Google, Adidas, and Louis Vuitton. The threat actors leverage voice phishing (vishing) combined with domain impersonation to manipulate Salesforce OAuth authorization mechanisms, establishing persistent access to CRM platforms for large-scale data exfiltration. The campaign concludes with delayed extortion demands ranging from 4 to 20 Bitcoin.