Post by Mitiga

A single stolen OAuth token, no malware needed, opened the door to 700+ companies. The integration was just doing what it was built to do. That was the Salesloft Drift campaign. ShinyHunters ran a similar play by phone — talking employees into approving a malicious Salesforce Data Loader connection, then moving from CRM into Okta, Microsoft 365, and S3. They haven't slowed down. Through the stolen Drift tokens they reached another 285+ Salesforce instances via Gainsight, and this month they hit 100+ organizations running Oracle PeopleSoft. None of this required breaking in. Attackers logged in through identity and OAuth flows your team already trusts. Mitiga Labs is running a free 45-minute advisory session on how these attacks unfold. Learn where visibility tends to break down across cloud, SaaS, identity, AI, and third-party services. You'll also see what your team should be able to answer at the dawn of an incident. If a connected app started exporting records tonight, how quickly could your SOC scope what was taken and prove it's contained? Schedule your free Mitiga Advisory Session at the link in the comments.