A stealthy new Salesforce OAuth attack is exposing a critical weakness in how enterprises rely on third-party SaaS integrations. Threat actors have successfully exploited a compromised Klue Battlecards integration to gain access to sensitive Salesforce CRM data—without breaching Salesforce itself.

The attack highlights a dangerous evolution in cyber threats: instead of targeting vulnerabilities in platforms, attackers are hijacking trusted integrations that already possess legitimate access to enterprise data.

Key Details

Security analysts at ReliaQuest identified the campaign, revealing that attackers leveraged compromised service account credentials tied to the Klue Battlecards integration.

Klue, a competitive intelligence platform used to sync business insights with Salesforce, operates using OAuth-based authentication. Once attackers obtained access to these integration credentials, they generated valid OAuth tokens and began querying Salesforce data via the REST API.

Salesforce has since disabled the Klue Battlecards app connection as a precaution, acknowledging that unauthorized access to a subset of customer data may have occurred.

Importantly, Salesforce confirmed that its platform was not directly compromised. Instead, the breach stemmed from the misuse of trusted third-party access.

Technical Analysis

The attack is notable for its precision and stealth. Rather than deploying malware or exploiting software flaws, attackers operated entirely within legitimate API workflows.

OAuth Token Abuse

Once authenticated through compromised service accounts, the attackers generated OAuth tokens, which allowed persistent and authorized API access without needing repeated logins.

These tokens enabled automated data extraction using Python-based scripts, identified by Python-urllib user-agent strings, which blended into normal integration traffic.

Two-Phase Data Exfiltration

The attackers followed a structured approach:

Phase 1 — Slow Extraction

• Enumerated Salesforce objects using API calls
• Queried CRM data in loops over extended periods (~24 hours)
• Used pagination techniques (QueryMore cursors) to mimic legitimate usage

This phase was designed to avoid detection by staying within expected traffic patterns.

Phase 2 — Burst Extraction

• Executed high-frequency API queries (up to ~1,000 requests in 15 minutes)
• Extracted high-value datasets rapidly
• Indicated a possible shift from stealth to speed

A separate observed incident showed sustained extraction activity lasting over six hours.

Data at Risk

The compromised integration had access to valuable CRM datasets, which may include:

• Customer account records
• Contact details
• Sales opportunities and deal outcomes
• Pricing and negotiation data

The exact scope depends on how organizations configured permissions for the Klue integration. In many cases, these integrations are granted broad access, significantly increasing risk.

Threat Actor Patterns

ReliaQuest researchers noted that the attack closely resembles tactics used by known threat groups such as ShinyHunters and UNC6395, both of which have previously targeted Salesforce environments.

Past campaigns have included:

• Social engineering to trick users into authorizing malicious apps
• Theft of OAuth tokens from SaaS integrations
• Large-scale data extraction via API queries

However, this incident shows subtle differences. The attackers used generic Python tooling instead of specialized frameworks and relied on cloud provider infrastructure rather than anonymization networks.

No extortion attempts or data leak activity has been observed so far, suggesting the attackers may still be in a reconnaissance or monetization phase.

Why This Attack Worked

The core issue is structural, not technical.

Third-party SaaS integrations operate as non-human identities with persistent access to enterprise systems. They often:

• Use long-lived credentials
• Have broad API permissions
• Operate without strict behavioral monitoring

Because these integrations authenticate legitimately, their activity rarely triggers traditional security alerts.

This allows attackers to operate inside a trusted channel, making detection significantly harder.

Indicators of Compromise (IoCs)

Organizations should monitor for the following indicators:

Suspicious IP Addresses

• 138.226.246[.]94
• 212.86.125[.]24
• 213.111.148[.]90
• 94.154.32[.]160

Behavioral Indicators

• Unusual API query volumes
• Repeated pagination requests
• Python-urllib user-agent activity
• OAuth token refresh anomalies
• Access from unexpected IP ranges

Impact and Risks

The implications of this attack extend beyond a single integration.

Key risks include:

• Large-scale CRM data exfiltration
• Exposure of sensitive business intelligence
• Competitive disadvantage due to leaked sales data
• Compliance and regulatory consequences

For enterprises heavily reliant on SaaS ecosystems, this attack demonstrates how a single compromised integration can become a gateway into critical systems.

Expert Recommendations

Organizations must shift their security focus toward API-level visibility and integration governance.

Key mitigation steps include:

• Revoke and rotate all credentials (including OAuth tokens and client secrets)
• Audit Salesforce API logs for abnormal activity
• Enforce IP allowlisting for connected applications
• Limit integration permissions to least privilege
• Monitor OAuth token generation and refresh patterns

Security teams should treat integrations as high-risk assets rather than passive tools.

Industry Context

This incident reflects a growing trend: attackers are increasingly targeting OAuth authentication flows and SaaS integrations instead of traditional endpoints.

The reason is simple—these pathways offer:

• Persistent access
• High-value data exposure
• Lower detection rates

As enterprises expand their SaaS footprints, the attack surface shifts from infrastructure to identity and API access.

OAuth abuse campaigns are now becoming standardized, repeatable attack playbooks across cloud ecosystems.

Conclusion

The Salesforce-Klue breach is not just another SaaS incident—it is a blueprint for future attacks.

By exploiting trusted integrations and legitimate authentication mechanisms, attackers bypassed traditional defenses and quietly accessed sensitive CRM data.

The lesson is clear: trust alone is no longer a security control.

Organizations must continuously monitor, audit, and validate every connection—especially those that appear legitimate.

FAQ SECTION

What is a Salesforce OAuth attack?

A Salesforce OAuth attack involves abusing OAuth tokens or connected app permissions to gain authorized API access to CRM data.

Was Salesforce itself hacked?

No, the platform was not directly compromised. The breach occurred through a compromised third-party integration.

What data was exposed?

Potentially customer records, contacts, deal data, and pricing information—depending on integration permissions.

Why are SaaS integrations risky?

They often have persistent access and broad permissions, making them attractive targets for attackers.

How can organizations prevent this?

By limiting access, monitoring API activity, rotating credentials regularly, and enforcing strict governance over integrations.