Catching Salesforce Integration Breaches with Panther

Introduction

Salesforce is a well-known Customer Relationship Management platform allowing businesses to  centralize data for managing customer interactions. That said, with all of the data incorporated in Salesforce, there are a number of ways to utilize logs for investigations and for formulating efficient detections against threats. Salesforce has recently undergone a number of breaches regarding a compromise on app integrations including Salesloft Drift and Gainsight. The influx of attacks on Salesforce integrations prompted a need to detect and mitigate this activity and stop breaches before they occur. This article will delve into the functions of Salesforce forensic investigations, recent breaches, and how Panther can assist you with Salesforce based detections.

Executive Summary

Salesforce is a highly sought after application by both customers and malicious actors. With the influx of third party app integrations in the Salesforce ecosystem, organizations ponder how they can ensure the security of their environments. Malicious actors have been shown to take advantage of various third party Salesforce application integrations like Drift and Gainsight for their own personal gain. The Salesloft Drift chatbot application was abused by attackers to extract compromised OAuth tokens for authentication. Attackers proceeded to perform reconnaissance via SQL queries to exfiltrate sensitive data such as Salesforce objects, cases, accounts, users, and opportunities. The attackers aimed to harvest credentials including long-lived AWS credentials, Snowflake access tokens, and AWS access keys. They aimed to reuse the discovered credentials in future attacks to perform multi-chain attacks. In the gainsight data breach, the attackers utilized the extracted OAuth tokens from the Salesloft Drift breach to compromise the application. Upon being made aware of this incident, Salesforce promptly revoked affected tokens and temporarily removed the Gainsight application from AppXchange. 

Detection Capabilities Offered by Panther

Panther hosts a variety of detections that can aid you in strengthening your organization’s security posture.

1. Salesforce.API.Anomaly.Passthrough - This detection is a passthrough rule that utilizes baseline analysis and statistical anomaly detection to identify unusual API request patterns within Salesforce logs. This detection monitors for API request spikes, unusual query patterns, and bulk enumeration activities. Real Time Event Monitoring logs provide a look into a live stream of API events which is imperative for thorough investigation. 

2. Salesforce.BulkAPI.DataExfiltration - This Panther detection alerts on multiple sequential queries of multiple sensitive object types, large-volume API queries, high-frequency data access requests, and unusual data export activity. Detecting instances of data exfiltration will help you identify threats and track down malicious activity with ease.

3. Salesforce.ThirdParty.Integration.Monitoring - This Panther detection monitors new or unauthorized third-party application connections, integrations accessing excessive data, and unusual integration access patterns and permission changes. The detection takes into consideration API Request log activity from integrations, changes to Connected Apps via the Audit Trail, OAuth token activity, and logs of applications accessing the organization.

4. Salesforce.OAuth.Credential.Abuse - This detection monitors Salesforce API access logs for suspicious OAuth token events that may be indicative of malicious behavior. Events that are targeted include OAuth Token Revocations, Failed Token Refresh Attempts, Excessive API Usage, Connected App Activity. These events can hint at token or API abuse so this detection hones in on those events for further visibility.

Recommended Actions

For best practices, short-lived access tokens are recommended to counteract any compromised credentials bad actors may attempt to utilize. Further, high permissions associated with roles (such as read/write) permissions, should require approval first. Performing regular audits of your environment is essential to scan for any hardcoded or exposed credentials and secrets. Exposed credentials are the primary vector adversaries leverage to compromise application security. Third party integrations also need to be monitored and reviewed to ensure its legitimacy. Log auditing is also recommended as it provides a look into activity regarding authentications, access logs, and data exfiltration.

Breaches

Salesloft Drift

A data breach was brought to Cloudflare’s attention on August 23rd in which an external actor gained access to their Salesforce instance.The compromised data consisted of customer support interactions  (nested in case objects) which may have leaked access tokens as well. The compromised instance was the Salesloft Drift chatbot integration that allowed all visitors of the website to contact Cloudflare. Threat actors took advantage of compromised OAuth tokens within the third party application to aim to harvest credentials. Hundreds of organizations using the Salesloft Drift integration were affected by this breach. This incident was a perfect example of a supply chain attack. The offending threat actor responsible (as classified by Cloudflare’s Threat Intelligence team) is GRUB1 (UNC6395).

The threat actor ran a number of SQL queries to exfiltrate data and execute their attack. GRUB1 was seeking out sensitive Salesforce data including Salesforce objects, cases, accounts, users, and opportunities. The threat actors’ intent was to harvest credentials that could later be used to access victim’s environments. Sensitive credentials that were targeted include Amazon Web Services (AWS) Access Keys, AKIA passwords, and Snowflake-related access tokens.

Investigation

Using Panther you can utilize Real Time Event Monitoring Logs to review current and previous Salesforce logs aiding in better investigations. Included in these logs, you will also find Threat Detection events that alert on unusual activities. 

The Salesforce Drift compromise began with a login from an unfamiliar IP address. This login anomaly can be detected as a Threat Detection event within the Real Time Event Monitoring Logs. The following Panther search shows an example of a login anomaly event in Salesforce:

EVENT_TYPE: LoginAnomalyEventStore
  TIMESTAMP: "2024-01-15 14:23:45.123"
  TIMESTAMP_DERIVED: "2024-01-15 14:23:45.123"
  EVENT_DATE: "2024-01-15"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000CyEN
  USER_ID_DERIVED: 0055f00000CyENtAAN
  USERNAME: suspicious.user@company.com
  USER_TYPE: Standard
  SESSION_KEY: fJ8kL2drc73p8/Wk
  SOURCE_IP: 45.67.89.123
  LOGIN_KEY: IMwYW6cv9ydaPrRm
  REQUEST_ID: 5tlEQPuEcPPzVPH-nPNWK-
  SCORE: 85.5  # Anomaly score (0-100)
  SUMMARY: "Login from unusual location or time"
  SECURITY_EVENT_DATA: '{"anomaly_type":"geolocation","expected_country":"US","actual_country":"CN"}'

EVENT_TYPE: LoginAnomalyEventStore
  TIMESTAMP: "2024-01-15 14:23:45.123"
  TIMESTAMP_DERIVED: "2024-01-15 14:23:45.123"
  EVENT_DATE: "2024-01-15"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000CyEN
  USER_ID_DERIVED: 0055f00000CyENtAAN
  USERNAME: suspicious.user@company.com
  USER_TYPE: Standard
  SESSION_KEY: fJ8kL2drc73p8/Wk
  SOURCE_IP: 45.67.89.123
  LOGIN_KEY: IMwYW6cv9ydaPrRm
  REQUEST_ID: 5tlEQPuEcPPzVPH-nPNWK-
  SCORE: 85.5  # Anomaly score (0-100)
  SUMMARY: "Login from unusual location or time"
  SECURITY_EVENT_DATA: '{"anomaly_type":"geolocation","expected_country":"US","actual_country":"CN"}'

EVENT_TYPE: LoginAnomalyEventStore
  TIMESTAMP: "2024-01-15 14:23:45.123"
  TIMESTAMP_DERIVED: "2024-01-15 14:23:45.123"
  EVENT_DATE: "2024-01-15"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000CyEN
  USER_ID_DERIVED: 0055f00000CyENtAAN
  USERNAME: suspicious.user@company.com
  USER_TYPE: Standard
  SESSION_KEY: fJ8kL2drc73p8/Wk
  SOURCE_IP: 45.67.89.123
  LOGIN_KEY: IMwYW6cv9ydaPrRm
  REQUEST_ID: 5tlEQPuEcPPzVPH-nPNWK-
  SCORE: 85.5  # Anomaly score (0-100)
  SUMMARY: "Login from unusual location or time"
  SECURITY_EVENT_DATA: '{"anomaly_type":"geolocation","expected_country":"US","actual_country":"CN"}'

EVENT_TYPE: LoginAnomalyEventStore
  TIMESTAMP: "2024-01-15 14:23:45.123"
  TIMESTAMP_DERIVED: "2024-01-15 14:23:45.123"
  EVENT_DATE: "2024-01-15"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000CyEN
  USER_ID_DERIVED: 0055f00000CyENtAAN
  USERNAME: suspicious.user@company.com
  USER_TYPE: Standard
  SESSION_KEY: fJ8kL2drc73p8/Wk
  SOURCE_IP: 45.67.89.123
  LOGIN_KEY: IMwYW6cv9ydaPrRm
  REQUEST_ID: 5tlEQPuEcPPzVPH-nPNWK-
  SCORE: 85.5  # Anomaly score (0-100)
  SUMMARY: "Login from unusual location or time"
  SECURITY_EVENT_DATA: '{"anomaly_type":"geolocation","expected_country":"US","actual_country":"CN"}'

This login anomaly log incorporates pertinent information regarding the username, source ip, and location. Notably, you can see the anomaly scoring and summary that explains why the login was classed as being anomalous. The LoginAnomalyEventStore event is a key aspect of investigating the initial unfamiliar ip address login as it provides relevant information on the actor.

GRUB1 was able to login due to having compromised OAuth tokens from a previous Github leak they participated in. These tokens allowed the malicious actors to access customer environments and perform the bulk of their reconnaissance and exfiltration activity. The following Panther detection alerts on indicators of potential OAuth credential abuse: 

def rule(event):
   # Alert on OAuth-related events that may indicate credential abuse
   event_type = event.get("EVENT_TYPE", "")
   # Monitor OAuth token usage and authentication events
   oauth_events = [
       "OAuthTokenRevoked",
       "OAuthTokenRefreshFailed",
       "ApiTotalUsage",
       "ApiConnectedApp",
   ]
   return event_type in oauth_events or "oauth" in event_type.lower()

def rule(event):
   # Alert on OAuth-related events that may indicate credential abuse
   event_type = event.get("EVENT_TYPE", "")
   # Monitor OAuth token usage and authentication events
   oauth_events = [
       "OAuthTokenRevoked",
       "OAuthTokenRefreshFailed",
       "ApiTotalUsage",
       "ApiConnectedApp",
   ]
   return event_type in oauth_events or "oauth" in event_type.lower()

def rule(event):
   # Alert on OAuth-related events that may indicate credential abuse
   event_type = event.get("EVENT_TYPE", "")
   # Monitor OAuth token usage and authentication events
   oauth_events = [
       "OAuthTokenRevoked",
       "OAuthTokenRefreshFailed",
       "ApiTotalUsage",
       "ApiConnectedApp",
   ]
   return event_type in oauth_events or "oauth" in event_type.lower()

def rule(event):
   # Alert on OAuth-related events that may indicate credential abuse
   event_type = event.get("EVENT_TYPE", "")
   # Monitor OAuth token usage and authentication events
   oauth_events = [
       "OAuthTokenRevoked",
       "OAuthTokenRefreshFailed",
       "ApiTotalUsage",
       "ApiConnectedApp",
   ]
   return event_type in oauth_events or "oauth" in event_type.lower()

This detection monitors Salesforce API access logs for suspicious OAuth token events that may be indicative of malicious behavior. The following events are targeted as they have a high likelihood of indicating abuse:

  1. OAuth Token Revocations → May indicate response to compromise

  2. Failed Token Refresh Attempts → Potential brute force or stolen token usage

  3. Excessive API Usage → Automated abuse or data exfiltration

  4. Connected App Activity → Monitoring for suspicious OAuth app behavior

Below you will find an example of a True Positive triggered by an OAuthTokenRevoked event.

  EVENT_TYPE: OAuthTokenRevoked
  TIMESTAMP: "2024-01-30 17:45:30.123"
  TIMESTAMP_DERIVED: "2024-01-30 17:45:30.123"
  EVENT_DATE: "2024-01-30"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000RzTCE
  USER_ID_DERIVED: 0055f00000RzTCEIII
  USER_NAME: security.admin@company.com
  USER_TYPE: Standard
  SOURCE_IP: 10.10.10.10
  REQUEST_ID: 9HzSED8SpDD3JDW-CCZkX-
  CONNECTED_APP_ID: 0H05f000000XzDqEEN
  CONNECTED_APP_NAME: CompromisedApp
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl
  STATUS: Success
  SESSION_KEY: kN3pP6huf17t3/Ao
  p_event_time: "2024-01-30 17:45:30.123"
  p_log_type: Salesforce.OAuthTokenRevoked
  p_any_ip_addresses: [10.10.10.10]
  p_any_usernames: [security.admin@company.com]

  EVENT_TYPE: OAuthTokenRevoked
  TIMESTAMP: "2024-01-30 17:45:30.123"
  TIMESTAMP_DERIVED: "2024-01-30 17:45:30.123"
  EVENT_DATE: "2024-01-30"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000RzTCE
  USER_ID_DERIVED: 0055f00000RzTCEIII
  USER_NAME: security.admin@company.com
  USER_TYPE: Standard
  SOURCE_IP: 10.10.10.10
  REQUEST_ID: 9HzSED8SpDD3JDW-CCZkX-
  CONNECTED_APP_ID: 0H05f000000XzDqEEN
  CONNECTED_APP_NAME: CompromisedApp
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl
  STATUS: Success
  SESSION_KEY: kN3pP6huf17t3/Ao
  p_event_time: "2024-01-30 17:45:30.123"
  p_log_type: Salesforce.OAuthTokenRevoked
  p_any_ip_addresses: [10.10.10.10]
  p_any_usernames: [security.admin@company.com]

  EVENT_TYPE: OAuthTokenRevoked
  TIMESTAMP: "2024-01-30 17:45:30.123"
  TIMESTAMP_DERIVED: "2024-01-30 17:45:30.123"
  EVENT_DATE: "2024-01-30"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000RzTCE
  USER_ID_DERIVED: 0055f00000RzTCEIII
  USER_NAME: security.admin@company.com
  USER_TYPE: Standard
  SOURCE_IP: 10.10.10.10
  REQUEST_ID: 9HzSED8SpDD3JDW-CCZkX-
  CONNECTED_APP_ID: 0H05f000000XzDqEEN
  CONNECTED_APP_NAME: CompromisedApp
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl
  STATUS: Success
  SESSION_KEY: kN3pP6huf17t3/Ao
  p_event_time: "2024-01-30 17:45:30.123"
  p_log_type: Salesforce.OAuthTokenRevoked
  p_any_ip_addresses: [10.10.10.10]
  p_any_usernames: [security.admin@company.com]

  EVENT_TYPE: OAuthTokenRevoked
  TIMESTAMP: "2024-01-30 17:45:30.123"
  TIMESTAMP_DERIVED: "2024-01-30 17:45:30.123"
  EVENT_DATE: "2024-01-30"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000RzTCE
  USER_ID_DERIVED: 0055f00000RzTCEIII
  USER_NAME: security.admin@company.com
  USER_TYPE: Standard
  SOURCE_IP: 10.10.10.10
  REQUEST_ID: 9HzSED8SpDD3JDW-CCZkX-
  CONNECTED_APP_ID: 0H05f000000XzDqEEN
  CONNECTED_APP_NAME: CompromisedApp
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl
  STATUS: Success
  SESSION_KEY: kN3pP6huf17t3/Ao
  p_event_time: "2024-01-30 17:45:30.123"
  p_log_type: Salesforce.OAuthTokenRevoked
  p_any_ip_addresses: [10.10.10.10]
  p_any_usernames: [security.admin@company.com]

This event includes pertinent information regarding who revoked the OAuthToken and the name of the Connected App that was compromised. In typical scenarios, OAuth Tokens are revoked in response to a suspected or confirmed compromise. This is done for safety reasons so these events are especially helpful when investigating as it contains timestamps and information about the app in question.

From here, an investigation would generally consist of investigating why the token was revoked, looking at failed authentication attempts, and auditing the tokens' access patterns prior to revocation.

EVENT_TYPE: OAuthTokenRefreshFailed
  TIMESTAMP: "2024-01-31 11:20:15.789"
  TIMESTAMP_DERIVED: "2024-01-31 11:20:15.789"
  EVENT_DATE: "2024-01-31"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000SzUDF
  USER_ID_DERIVED: 0055f00000SzUDFJJJ
  USER_NAME: api.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 203.45.67.89
  REQUEST_ID: 0IATFe9TqEE4KEY-DDAlY-
  CONNECTED_APP_ID: 0H05f000000XzErFFO
  CONNECTED_APP_NAME: SuspiciousIntegration
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl123
  STATUS: Failed
  SESSION_KEY: lO4qQ7ivg28u4/Bp
  p_event_time: "2024-01-31 11:20:15.789"
  p_log_type: Salesforce.OAuthTokenRefreshFailed
  p_any_ip_addresses: [203.45.67.89]
  p_any_usernames: [api.user@company.com]

EVENT_TYPE: OAuthTokenRefreshFailed
  TIMESTAMP: "2024-01-31 11:20:15.789"
  TIMESTAMP_DERIVED: "2024-01-31 11:20:15.789"
  EVENT_DATE: "2024-01-31"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000SzUDF
  USER_ID_DERIVED: 0055f00000SzUDFJJJ
  USER_NAME: api.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 203.45.67.89
  REQUEST_ID: 0IATFe9TqEE4KEY-DDAlY-
  CONNECTED_APP_ID: 0H05f000000XzErFFO
  CONNECTED_APP_NAME: SuspiciousIntegration
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl123
  STATUS: Failed
  SESSION_KEY: lO4qQ7ivg28u4/Bp
  p_event_time: "2024-01-31 11:20:15.789"
  p_log_type: Salesforce.OAuthTokenRefreshFailed
  p_any_ip_addresses: [203.45.67.89]
  p_any_usernames: [api.user@company.com]

EVENT_TYPE: OAuthTokenRefreshFailed
  TIMESTAMP: "2024-01-31 11:20:15.789"
  TIMESTAMP_DERIVED: "2024-01-31 11:20:15.789"
  EVENT_DATE: "2024-01-31"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000SzUDF
  USER_ID_DERIVED: 0055f00000SzUDFJJJ
  USER_NAME: api.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 203.45.67.89
  REQUEST_ID: 0IATFe9TqEE4KEY-DDAlY-
  CONNECTED_APP_ID: 0H05f000000XzErFFO
  CONNECTED_APP_NAME: SuspiciousIntegration
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl123
  STATUS: Failed
  SESSION_KEY: lO4qQ7ivg28u4/Bp
  p_event_time: "2024-01-31 11:20:15.789"
  p_log_type: Salesforce.OAuthTokenRefreshFailed
  p_any_ip_addresses: [203.45.67.89]
  p_any_usernames: [api.user@company.com]

EVENT_TYPE: OAuthTokenRefreshFailed
  TIMESTAMP: "2024-01-31 11:20:15.789"
  TIMESTAMP_DERIVED: "2024-01-31 11:20:15.789"
  EVENT_DATE: "2024-01-31"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000SzUDF
  USER_ID_DERIVED: 0055f00000SzUDFJJJ
  USER_NAME: api.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 203.45.67.89
  REQUEST_ID: 0IATFe9TqEE4KEY-DDAlY-
  CONNECTED_APP_ID: 0H05f000000XzErFFO
  CONNECTED_APP_NAME: SuspiciousIntegration
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl123
  STATUS: Failed
  SESSION_KEY: lO4qQ7ivg28u4/Bp
  p_event_time: "2024-01-31 11:20:15.789"
  p_log_type: Salesforce.OAuthTokenRefreshFailed
  p_any_ip_addresses: [203.45.67.89]
  p_any_usernames: [api.user@company.com]

This event showcases a failed OAuth Token refresh which could hint at stolen credentials or brute force attempts. An attacker using a stolen or expired token would lead to a failure as well as a bruteforce attempt via guessing token credentials.Legitimate tokens should refresh successfully. The event provides pertinent information regarding the source ip address and the related application along with a timestamp. 

With this event information, investigation steps would typically consist of checking for multiple failure refresh and even login attempts from the same ip. Also review the user responsible for this event to note if they typically access the given token as well as the app integration itself.

 EVENT_TYPE: ApiConnectedApp
  TIMESTAMP: "2024-02-02 09:15:20.123"
  TIMESTAMP_DERIVED: "2024-02-02 09:15:20.123"
  EVENT_DATE: "2024-02-02"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000UzWFH
  USER_ID_DERIVED: 0055f00000UzWFHLLL
  USER_NAME: normal.integration@company.com
  USER_TYPE: Standard
  SOURCE_IP: 172.16.0.100
  REQUEST_ID: 2KCVHg1VsGG6MGZ-FFCna-
  CONNECTED_APP_ID: 0H05f000000XzGtHHQ
  CONNECTED_APP_NAME: NormalApp
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl789
  API_TOTAL_COUNT: 500
  STATUS: Success
  SESSION_KEY: nQ6sS9kxi40w6/Dr
  p_event_time: "2024-02-02 09:15:20.123"
  p_log_type: Salesforce.ApiConnectedApp
  p_any_ip_addresses: [172.16.0.100]
  p_any_usernames: [normal.integration@company.com]

 EVENT_TYPE: ApiConnectedApp
  TIMESTAMP: "2024-02-02 09:15:20.123"
  TIMESTAMP_DERIVED: "2024-02-02 09:15:20.123"
  EVENT_DATE: "2024-02-02"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000UzWFH
  USER_ID_DERIVED: 0055f00000UzWFHLLL
  USER_NAME: normal.integration@company.com
  USER_TYPE: Standard
  SOURCE_IP: 172.16.0.100
  REQUEST_ID: 2KCVHg1VsGG6MGZ-FFCna-
  CONNECTED_APP_ID: 0H05f000000XzGtHHQ
  CONNECTED_APP_NAME: NormalApp
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl789
  API_TOTAL_COUNT: 500
  STATUS: Success
  SESSION_KEY: nQ6sS9kxi40w6/Dr
  p_event_time: "2024-02-02 09:15:20.123"
  p_log_type: Salesforce.ApiConnectedApp
  p_any_ip_addresses: [172.16.0.100]
  p_any_usernames: [normal.integration@company.com]

 EVENT_TYPE: ApiConnectedApp
  TIMESTAMP: "2024-02-02 09:15:20.123"
  TIMESTAMP_DERIVED: "2024-02-02 09:15:20.123"
  EVENT_DATE: "2024-02-02"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000UzWFH
  USER_ID_DERIVED: 0055f00000UzWFHLLL
  USER_NAME: normal.integration@company.com
  USER_TYPE: Standard
  SOURCE_IP: 172.16.0.100
  REQUEST_ID: 2KCVHg1VsGG6MGZ-FFCna-
  CONNECTED_APP_ID: 0H05f000000XzGtHHQ
  CONNECTED_APP_NAME: NormalApp
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl789
  API_TOTAL_COUNT: 500
  STATUS: Success
  SESSION_KEY: nQ6sS9kxi40w6/Dr
  p_event_time: "2024-02-02 09:15:20.123"
  p_log_type: Salesforce.ApiConnectedApp
  p_any_ip_addresses: [172.16.0.100]
  p_any_usernames: [normal.integration@company.com]

 EVENT_TYPE: ApiConnectedApp
  TIMESTAMP: "2024-02-02 09:15:20.123"
  TIMESTAMP_DERIVED: "2024-02-02 09:15:20.123"
  EVENT_DATE: "2024-02-02"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000UzWFH
  USER_ID_DERIVED: 0055f00000UzWFHLLL
  USER_NAME: normal.integration@company.com
  USER_TYPE: Standard
  SOURCE_IP: 172.16.0.100
  REQUEST_ID: 2KCVHg1VsGG6MGZ-FFCna-
  CONNECTED_APP_ID: 0H05f000000XzGtHHQ
  CONNECTED_APP_NAME: NormalApp
  CLIENT_ID: 3MVG9yZ.WNe6byQCPj8xYzKl789
  API_TOTAL_COUNT: 500
  STATUS: Success
  SESSION_KEY: nQ6sS9kxi40w6/Dr
  p_event_time: "2024-02-02 09:15:20.123"
  p_log_type: Salesforce.ApiConnectedApp
  p_any_ip_addresses: [172.16.0.100]
  p_any_usernames: [normal.integration@company.com]

This event is classed as lower severity but is still relevant. API connected apps could provide insight into OAuth applications making API calls, Here it is key to make a note of particular patterns that could be indicative of malicious or unfamiliar behaviour. This event serves to provide visibility into the API call activity. API call count is taken into consideration when classing the severity of this alert. 

EVENT_TYPE: ApiTotalUsage
  API_TOTAL_COUNT: 15000  # Exceeds 10,000 threshold
  CONNECTED_APP_NAME: HighVolumeApp
  USER_NAME: integration.service@company.com
  STATUS: Success

EVENT_TYPE: ApiTotalUsage
  API_TOTAL_COUNT: 15000  # Exceeds 10,000 threshold
  CONNECTED_APP_NAME: HighVolumeApp
  USER_NAME: integration.service@company.com
  STATUS: Success

EVENT_TYPE: ApiTotalUsage
  API_TOTAL_COUNT: 15000  # Exceeds 10,000 threshold
  CONNECTED_APP_NAME: HighVolumeApp
  USER_NAME: integration.service@company.com
  STATUS: Success

EVENT_TYPE: ApiTotalUsage
  API_TOTAL_COUNT: 15000  # Exceeds 10,000 threshold
  CONNECTED_APP_NAME: HighVolumeApp
  USER_NAME: integration.service@company.com
  STATUS: Success

Building off of the prior event, this event considers ApiTotalUsage events that exceed a threshold of 10000. This is classed with a high severity as this could be indicative of data scraping or automated abuse. For investigation, it is expected to evaluate the source ip address, the app integration, and prior activity to see if this behavior is expected.

Following this, GRUB1 performed several API calls including GET requests to extract metadata information from the Cloudflare Sales Tenant. This allowed the malicious actors to learn more about the Salesforce objects they aimed to exploit. Anomalous API calls can be detected with the following API Activity Anomaly Panther passthrough rule:

def rule(event):
   # Alert on any Salesforce API Anomaly Event
   # These are generated by Salesforce's Real-Time Event Monitoring
   # when it detects anomalous API activity
   return event.get("EVENT_TYPE") == "ApiAnomalyEventStore"

def rule(event):
   # Alert on any Salesforce API Anomaly Event
   # These are generated by Salesforce's Real-Time Event Monitoring
   # when it detects anomalous API activity
   return event.get("EVENT_TYPE") == "ApiAnomalyEventStore"

def rule(event):
   # Alert on any Salesforce API Anomaly Event
   # These are generated by Salesforce's Real-Time Event Monitoring
   # when it detects anomalous API activity
   return event.get("EVENT_TYPE") == "ApiAnomalyEventStore"

def rule(event):
   # Alert on any Salesforce API Anomaly Event
   # These are generated by Salesforce's Real-Time Event Monitoring
   # when it detects anomalous API activity
   return event.get("EVENT_TYPE") == "ApiAnomalyEventStore"

This Panther detection utilizes baseline analysis and statistical anomaly detection to identify unusual API request patterns within Salesforce logs. This detection monitors for API request spikes, unusual query patterns, and bulk enumeration activities. Real Time Event Monitoring logs provide a look into a live stream of API events which is imperative for thorough investigation. 

The detection then extracts the Salesforce score  on the basis of how anomalous the activity appears to be. The various scores are mapped to their respective Panther severity labels.

def severity(event):
   # Map anomaly score to Panther severity
   # Salesforce scores range from 0-100, higher = more anomalous
   score = event.get("SCORE", 0)
   if score >= 80:
       return "CRITICAL"
   if score >= 60:
       return "HIGH"
   if score >= 40:
       return "MEDIUM"
   if score >= 20:
       return "LOW"
   return "DEFAULT"

def severity(event):
   # Map anomaly score to Panther severity
   # Salesforce scores range from 0-100, higher = more anomalous
   score = event.get("SCORE", 0)
   if score >= 80:
       return "CRITICAL"
   if score >= 60:
       return "HIGH"
   if score >= 40:
       return "MEDIUM"
   if score >= 20:
       return "LOW"
   return "DEFAULT"

def severity(event):
   # Map anomaly score to Panther severity
   # Salesforce scores range from 0-100, higher = more anomalous
   score = event.get("SCORE", 0)
   if score >= 80:
       return "CRITICAL"
   if score >= 60:
       return "HIGH"
   if score >= 40:
       return "MEDIUM"
   if score >= 20:
       return "LOW"
   return "DEFAULT"

def severity(event):
   # Map anomaly score to Panther severity
   # Salesforce scores range from 0-100, higher = more anomalous
   score = event.get("SCORE", 0)
   if score >= 80:
       return "CRITICAL"
   if score >= 60:
       return "HIGH"
   if score >= 40:
       return "MEDIUM"
   if score >= 20:
       return "LOW"
   return "DEFAULT"

Below is an example of an ApiAnomalyEventStore event.

EVENT_TYPE: ApiAnomalyEventStore
  TIMESTAMP: "2024-01-15 14:23:45.123"
  TIMESTAMP_DERIVED: "2024-01-15 14:23:45.123"
  EVENT_DATE: "2024-01-15"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000CyEN
  USER_ID_DERIVED: 0055f00000CyENtAAN
  USERNAME: suspicious.user@company.com
  USER_TYPE: Standard
  SESSION_KEY: fJ8kL2drc73p8/Wk
  SOURCE_IP: 45.67.89.123
  REQUEST_ID: 5tlEQPuEcPPzVPH-nPNWK-
  SCORE: 85.5  # ⚠️ CRITICAL threshold (>=80)
  SUMMARY: "Unusual API query volume and pattern detected"
  SECURITY_EVENT_DATA: '{"anomaly_type":"volume","threshold_exceeded":true,"queries_per_hour":1250}'
  p_event_time: "2024-01-15 14:23:45.123"
  p_log_type: Salesforce.ApiAnomalyEventStore
  p_any_ip_addresses: [45.67.89.123]
  p_any_usernames: [suspicious.user@company.com]

EVENT_TYPE: ApiAnomalyEventStore
  TIMESTAMP: "2024-01-15 14:23:45.123"
  TIMESTAMP_DERIVED: "2024-01-15 14:23:45.123"
  EVENT_DATE: "2024-01-15"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000CyEN
  USER_ID_DERIVED: 0055f00000CyENtAAN
  USERNAME: suspicious.user@company.com
  USER_TYPE: Standard
  SESSION_KEY: fJ8kL2drc73p8/Wk
  SOURCE_IP: 45.67.89.123
  REQUEST_ID: 5tlEQPuEcPPzVPH-nPNWK-
  SCORE: 85.5  # ⚠️ CRITICAL threshold (>=80)
  SUMMARY: "Unusual API query volume and pattern detected"
  SECURITY_EVENT_DATA: '{"anomaly_type":"volume","threshold_exceeded":true,"queries_per_hour":1250}'
  p_event_time: "2024-01-15 14:23:45.123"
  p_log_type: Salesforce.ApiAnomalyEventStore
  p_any_ip_addresses: [45.67.89.123]
  p_any_usernames: [suspicious.user@company.com]

EVENT_TYPE: ApiAnomalyEventStore
  TIMESTAMP: "2024-01-15 14:23:45.123"
  TIMESTAMP_DERIVED: "2024-01-15 14:23:45.123"
  EVENT_DATE: "2024-01-15"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000CyEN
  USER_ID_DERIVED: 0055f00000CyENtAAN
  USERNAME: suspicious.user@company.com
  USER_TYPE: Standard
  SESSION_KEY: fJ8kL2drc73p8/Wk
  SOURCE_IP: 45.67.89.123
  REQUEST_ID: 5tlEQPuEcPPzVPH-nPNWK-
  SCORE: 85.5  # ⚠️ CRITICAL threshold (>=80)
  SUMMARY: "Unusual API query volume and pattern detected"
  SECURITY_EVENT_DATA: '{"anomaly_type":"volume","threshold_exceeded":true,"queries_per_hour":1250}'
  p_event_time: "2024-01-15 14:23:45.123"
  p_log_type: Salesforce.ApiAnomalyEventStore
  p_any_ip_addresses: [45.67.89.123]
  p_any_usernames: [suspicious.user@company.com]

EVENT_TYPE: ApiAnomalyEventStore
  TIMESTAMP: "2024-01-15 14:23:45.123"
  TIMESTAMP_DERIVED: "2024-01-15 14:23:45.123"
  EVENT_DATE: "2024-01-15"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000CyEN
  USER_ID_DERIVED: 0055f00000CyENtAAN
  USERNAME: suspicious.user@company.com
  USER_TYPE: Standard
  SESSION_KEY: fJ8kL2drc73p8/Wk
  SOURCE_IP: 45.67.89.123
  REQUEST_ID: 5tlEQPuEcPPzVPH-nPNWK-
  SCORE: 85.5  # ⚠️ CRITICAL threshold (>=80)
  SUMMARY: "Unusual API query volume and pattern detected"
  SECURITY_EVENT_DATA: '{"anomaly_type":"volume","threshold_exceeded":true,"queries_per_hour":1250}'
  p_event_time: "2024-01-15 14:23:45.123"
  p_log_type: Salesforce.ApiAnomalyEventStore
  p_any_ip_addresses: [45.67.89.123]
  p_any_usernames: [suspicious.user@company.com]

In this instance, an unusual query request broke the threshold with an overwhelming 1250 queries per hour. The severity was marked as critical with a score of 85.5. The event provides vital information including the timestamp, source ip address, the user, and the session key. Investigating this event will involve you looking into the source IP address as well as identifying the queries being made within this short time frame.

After retrieving efficient information about their target, GRUB1 proceeded to run a number of SOQL queries to gain information on Account, User, and Contact objects. You can catch this activity with the Bulk Data Exfiltration Panther Detection:

def rule(event):
   # Alert on Salesforce Bulk API Result Events
   # These events are generated when bulk API jobs complete
   # and can indicate large-scale data exfiltration attempts
   return event.get("EVENT_TYPE") == "BulkApiResultEventStore"

def rule(event):
   # Alert on Salesforce Bulk API Result Events
   # These events are generated when bulk API jobs complete
   # and can indicate large-scale data exfiltration attempts
   return event.get("EVENT_TYPE") == "BulkApiResultEventStore"

def rule(event):
   # Alert on Salesforce Bulk API Result Events
   # These events are generated when bulk API jobs complete
   # and can indicate large-scale data exfiltration attempts
   return event.get("EVENT_TYPE") == "BulkApiResultEventStore"

def rule(event):
   # Alert on Salesforce Bulk API Result Events
   # These events are generated when bulk API jobs complete
   # and can indicate large-scale data exfiltration attempts
   return event.get("EVENT_TYPE") == "BulkApiResultEventStore"

This Panther detection alerts on multiple sequential queries of multiple sensitive object types, large-volume API queries, high-frequency data access requests, and unusual data export activity. Detecting instances of data exfiltration will help you identify threats and track down malicious activity with ease.

Below is an example of a critical severity event for Bulk API Data exfiltration.

 EVENT_TYPE: BulkApiResultEventStore
  TIMESTAMP: "2024-01-20 15:45:30.123"
  TIMESTAMP_DERIVED: "2024-01-20 15:45:30.123"
  EVENT_DATE: "2024-01-20"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000HyJSw
  USER_ID_DERIVED: 0055f00000HyJSwXXY
  USER_NAME: suspicious.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 203.45.67.89
  REQUEST_ID: 9xpIUTyIfTT3ZTL-rTRaN-
  JOB_ID: 7505f000008xKLmAAM
  OPERATION_TYPE: query  # ⚠️ Query = data extraction
  ENTITY_NAME: Contact   # ⚠️ Sensitive customer data
  RECORDS_PROCESSED: 150000  # ⚠️ 150K records!
  NUMBER_OF_BATCHES: 15
  API_VERSION: "59.0"
  JOB_TYPE: V2
  CONCURRENCY_MODE: Parallel
  p_event_time: "2024-01-20 15:45:30.123"
  p_log_type: Salesforce.BulkApiResultEventStore
  p_any_ip_addresses: [203.45.67.89]
  p_any_usernames: [suspicious.user@company.com]

 EVENT_TYPE: BulkApiResultEventStore
  TIMESTAMP: "2024-01-20 15:45:30.123"
  TIMESTAMP_DERIVED: "2024-01-20 15:45:30.123"
  EVENT_DATE: "2024-01-20"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000HyJSw
  USER_ID_DERIVED: 0055f00000HyJSwXXY
  USER_NAME: suspicious.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 203.45.67.89
  REQUEST_ID: 9xpIUTyIfTT3ZTL-rTRaN-
  JOB_ID: 7505f000008xKLmAAM
  OPERATION_TYPE: query  # ⚠️ Query = data extraction
  ENTITY_NAME: Contact   # ⚠️ Sensitive customer data
  RECORDS_PROCESSED: 150000  # ⚠️ 150K records!
  NUMBER_OF_BATCHES: 15
  API_VERSION: "59.0"
  JOB_TYPE: V2
  CONCURRENCY_MODE: Parallel
  p_event_time: "2024-01-20 15:45:30.123"
  p_log_type: Salesforce.BulkApiResultEventStore
  p_any_ip_addresses: [203.45.67.89]
  p_any_usernames: [suspicious.user@company.com]

 EVENT_TYPE: BulkApiResultEventStore
  TIMESTAMP: "2024-01-20 15:45:30.123"
  TIMESTAMP_DERIVED: "2024-01-20 15:45:30.123"
  EVENT_DATE: "2024-01-20"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000HyJSw
  USER_ID_DERIVED: 0055f00000HyJSwXXY
  USER_NAME: suspicious.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 203.45.67.89
  REQUEST_ID: 9xpIUTyIfTT3ZTL-rTRaN-
  JOB_ID: 7505f000008xKLmAAM
  OPERATION_TYPE: query  # ⚠️ Query = data extraction
  ENTITY_NAME: Contact   # ⚠️ Sensitive customer data
  RECORDS_PROCESSED: 150000  # ⚠️ 150K records!
  NUMBER_OF_BATCHES: 15
  API_VERSION: "59.0"
  JOB_TYPE: V2
  CONCURRENCY_MODE: Parallel
  p_event_time: "2024-01-20 15:45:30.123"
  p_log_type: Salesforce.BulkApiResultEventStore
  p_any_ip_addresses: [203.45.67.89]
  p_any_usernames: [suspicious.user@company.com]

 EVENT_TYPE: BulkApiResultEventStore
  TIMESTAMP: "2024-01-20 15:45:30.123"
  TIMESTAMP_DERIVED: "2024-01-20 15:45:30.123"
  EVENT_DATE: "2024-01-20"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000HyJSw
  USER_ID_DERIVED: 0055f00000HyJSwXXY
  USER_NAME: suspicious.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 203.45.67.89
  REQUEST_ID: 9xpIUTyIfTT3ZTL-rTRaN-
  JOB_ID: 7505f000008xKLmAAM
  OPERATION_TYPE: query  # ⚠️ Query = data extraction
  ENTITY_NAME: Contact   # ⚠️ Sensitive customer data
  RECORDS_PROCESSED: 150000  # ⚠️ 150K records!
  NUMBER_OF_BATCHES: 15
  API_VERSION: "59.0"
  JOB_TYPE: V2
  CONCURRENCY_MODE: Parallel
  p_event_time: "2024-01-20 15:45:30.123"
  p_log_type: Salesforce.BulkApiResultEventStore
  p_any_ip_addresses: [203.45.67.89]
  p_any_usernames: [suspicious.user@company.com]

This BulkAPIEventStore event provides very important information including fields like operation type, entity name, records processed, and number of batches. With this information, one can observe the sensitive information of the query extracted and investigate the case using the username and source IP address. This helps with providing context on the situation and attributing the case to a specific actor allowing for thorough investigations.

Gainsight

On November 20th, 2025, Gainsight was disabled by Salesforce due to the application being compromised. The affected assets are: 

Community - online space for Gainsight customers to connect, exchange ideas, and access resources

Northpass - Customer education platform acquired by Gainsight 

Skilljar - Learning Management System acquired by Gainsight

Staircase - Artificial Intelligence tool for Customer Intelligence acquired by Gainsight

During this time, Salesforce identified API calls using the Gainsight Connected App coming from non whitelisted IPs. A hacking group by the name of Scattered Lapsus$ Hunters (a.k.a. Scattered Spider, LAPSUS$, Shiny Hunters) claimed responsibility for this breach within a Telegram channel. These malicious actors stated that they were able to exploit Gainsight due to their previous breach of Salesloft Drift. The adversaries utilized OAuth tokens within the Gainsight connected Application that allowed the usage of unauthorized API calls within the Salesforce platform. As a response, Salesforce temporarily disabled the Gainsight application as well as revoking all active and refresh tokens.

Shiny Hunters

The ShinyHunters have been partaking in numerous attacks over the years and are aiming to create a Data Leak Site with all of the information that they exfiltrate. They intend to extort victims through vishing efforts instructing victims to pay them in bitcoin within 72 hours.

As part of the summer 2025 Salesforce breaches by the Shiny Hunters, that instance involves a vishing call instructing users to approve a version of the DataLoader application. The name and branding for this application differs from the legitimate one.

Once the threat actor gained access they exfiltrated data and used the stolen credentials to move laterally through victim’s networks across various platforms (e.g. Microsoft, Okta). The actors also utilized the Mullvad VPN IP addresses to perform data exfiltration and also requested user authentication and MFA codes during these vishing calls.

For context, Data Loader is an application developed by Salesforce which allows for the import, export, and update of large data volumes within the Salesforce platform. Data Loader supports the use of OAuth and allows for direct app integration. Threat actors goaded victims to enter a connection code in the Salesforce connect setup page, which links the threat actor’s Data Loader to the environment of the victim. Threat actors were able to evade detection by only extracting a small amount of data (e.g. Account, Case, User records) at a time and by renaming the Data Loader application to “My Ticket Portal”.

“Gainsight was a customer of Salesloft Drift; they were affected and therefore compromised entirely by us,” a spokesperson for the ShinyHunters group told TechCrunch.

T1621 Multi-Factor Authentication Request Generation

The SLSH group weaponized MFA flows by generating MFA prompts and tricking targets into approving them. They used this methodology in combination with vishing and prompts to authorize connected apps or to complete OAuth consent screens.

T1657 Financial Theft

SLSH hosted an extortionware portal on the TOR Onion network hosting public leaks, exfiltrated customer data, etc. On this extortionware portal they listed affected Salesforce customers along with the amount of data that they claimed to have stolen. This site was made as a means to pressure victims therefore extracting financial gain.

Partial Content of their site can be found below:

Scattered LAPSUS$ Hunters
Salesforce, Inc.
989.45m/~1B+ records
Contact us to negociate this ransom or all your customers data will be leaked.
If we come to a resolution all indiviual extortions against your customers will be withdrawn from.
Nobody else will have to pay us, if you pay, Salesforce, Inc.
Salesforce, Inc. deadline: 10-10-2025 | Status: Negociation required
For: Salesforce customers
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 01-05-2025
Data Volume: 64GB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: $326.24b+
Status: Active
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 31-08-2025
Data Volume: 1.1TB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: €89b+
Status: Active
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 01-05-2025
Data Volume: 36GB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: $94.53b+
Status: Active

Scattered LAPSUS$ Hunters
Salesforce, Inc.
989.45m/~1B+ records
Contact us to negociate this ransom or all your customers data will be leaked.
If we come to a resolution all indiviual extortions against your customers will be withdrawn from.
Nobody else will have to pay us, if you pay, Salesforce, Inc.
Salesforce, Inc. deadline: 10-10-2025 | Status: Negociation required
For: Salesforce customers
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 01-05-2025
Data Volume: 64GB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: $326.24b+
Status: Active
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 31-08-2025
Data Volume: 1.1TB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: €89b+
Status: Active
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 01-05-2025
Data Volume: 36GB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: $94.53b+
Status: Active

Scattered LAPSUS$ Hunters
Salesforce, Inc.
989.45m/~1B+ records
Contact us to negociate this ransom or all your customers data will be leaked.
If we come to a resolution all indiviual extortions against your customers will be withdrawn from.
Nobody else will have to pay us, if you pay, Salesforce, Inc.
Salesforce, Inc. deadline: 10-10-2025 | Status: Negociation required
For: Salesforce customers
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 01-05-2025
Data Volume: 64GB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: $326.24b+
Status: Active
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 31-08-2025
Data Volume: 1.1TB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: €89b+
Status: Active
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 01-05-2025
Data Volume: 36GB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: $94.53b+
Status: Active

Scattered LAPSUS$ Hunters
Salesforce, Inc.
989.45m/~1B+ records
Contact us to negociate this ransom or all your customers data will be leaked.
If we come to a resolution all indiviual extortions against your customers will be withdrawn from.
Nobody else will have to pay us, if you pay, Salesforce, Inc.
Salesforce, Inc. deadline: 10-10-2025 | Status: Negociation required
For: Salesforce customers
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 01-05-2025
Data Volume: 64GB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: $326.24b+
Status: Active
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 31-08-2025
Data Volume: 1.1TB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: €89b+
Status: Active
<REDACTED-COMPANY-NAME>
DATA-THEFT
Breach Date: 01-05-2025
Data Volume: 36GB
Deadline: 10-10-2025
Countries Data Incl.: INTERNATIONAL
Revenue: $94.53b+
Status: Active

Investigation

This attack took advantage of social engineering tactics in conjunction with the generation of MFA prompts, OAuth requests, and unofficial app integrations. Third party integration monitoring is key to ensure that only official applications are connected and that existing third party integrations aren’t compromised. The following Panther detection monitors third-party Salesforce integrations:

def rule(event):
   # Alert on Connected App usage events
   # These track OAuth authorizations and third-party integrations
   return event.get("EVENT_TYPE") in [
       "ConnectedAppUsageEventStore",
       "ApiConnectedApp",
   ]

def rule(event):
   # Alert on Connected App usage events
   # These track OAuth authorizations and third-party integrations
   return event.get("EVENT_TYPE") in [
       "ConnectedAppUsageEventStore",
       "ApiConnectedApp",
   ]

def rule(event):
   # Alert on Connected App usage events
   # These track OAuth authorizations and third-party integrations
   return event.get("EVENT_TYPE") in [
       "ConnectedAppUsageEventStore",
       "ApiConnectedApp",
   ]

def rule(event):
   # Alert on Connected App usage events
   # These track OAuth authorizations and third-party integrations
   return event.get("EVENT_TYPE") in [
       "ConnectedAppUsageEventStore",
       "ApiConnectedApp",
   ]

This Panther detection monitors new or unauthorized third-party application connections, integrations accessing excessive data, and unusual integration access patterns and permission changes. The detection takes into consideration API Request log activity from integrations, changes to Connected Apps via the Audit Trail, OAuth token activity, and logs of applications accessing the organization.

Below you can find an example log of anomalous Third Party Integration activities. 

 EVENT_TYPE: ConnectedAppUsageEventStore
  TIMESTAMP: "2024-01-27 14:45:15.456"
  TIMESTAMP_DERIVED: "2024-01-27 14:45:15.456"
  EVENT_DATE: "2024-01-27"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000OzQZB
  USER_ID_DERIVED: 0055f00000OzQZBEEF
  USER_NAME: developer@company.com
  USER_TYPE: Standard
  SOURCE_IP: 10.20.30.40
  REQUEST_ID: 6EwPBA5PmAA0GAT-zZYhU-
  CONNECTED_APP_ID: 0H05f000000XzBoCCL
  CONNECTED_APP_NAME: Test-Integration-App  # ⚠️ Suspicious name (contains "Test")
  CONNECTION_TYPE: oauth_api_call
  API_VERSION: "59.0"
  OAUTH_SCOPES: "api full"  # ⚠️ FULL access!
  p_event_time: "2024-01-27 14:45:15.456"
  p_log_type: Salesforce.ConnectedAppUsageEventStore
  p_any_ip_addresses: [10.20.30.40]
  p_any_usernames: [developer@company.com]

 EVENT_TYPE: ConnectedAppUsageEventStore
  TIMESTAMP: "2024-01-27 14:45:15.456"
  TIMESTAMP_DERIVED: "2024-01-27 14:45:15.456"
  EVENT_DATE: "2024-01-27"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000OzQZB
  USER_ID_DERIVED: 0055f00000OzQZBEEF
  USER_NAME: developer@company.com
  USER_TYPE: Standard
  SOURCE_IP: 10.20.30.40
  REQUEST_ID: 6EwPBA5PmAA0GAT-zZYhU-
  CONNECTED_APP_ID: 0H05f000000XzBoCCL
  CONNECTED_APP_NAME: Test-Integration-App  # ⚠️ Suspicious name (contains "Test")
  CONNECTION_TYPE: oauth_api_call
  API_VERSION: "59.0"
  OAUTH_SCOPES: "api full"  # ⚠️ FULL access!
  p_event_time: "2024-01-27 14:45:15.456"
  p_log_type: Salesforce.ConnectedAppUsageEventStore
  p_any_ip_addresses: [10.20.30.40]
  p_any_usernames: [developer@company.com]

 EVENT_TYPE: ConnectedAppUsageEventStore
  TIMESTAMP: "2024-01-27 14:45:15.456"
  TIMESTAMP_DERIVED: "2024-01-27 14:45:15.456"
  EVENT_DATE: "2024-01-27"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000OzQZB
  USER_ID_DERIVED: 0055f00000OzQZBEEF
  USER_NAME: developer@company.com
  USER_TYPE: Standard
  SOURCE_IP: 10.20.30.40
  REQUEST_ID: 6EwPBA5PmAA0GAT-zZYhU-
  CONNECTED_APP_ID: 0H05f000000XzBoCCL
  CONNECTED_APP_NAME: Test-Integration-App  # ⚠️ Suspicious name (contains "Test")
  CONNECTION_TYPE: oauth_api_call
  API_VERSION: "59.0"
  OAUTH_SCOPES: "api full"  # ⚠️ FULL access!
  p_event_time: "2024-01-27 14:45:15.456"
  p_log_type: Salesforce.ConnectedAppUsageEventStore
  p_any_ip_addresses: [10.20.30.40]
  p_any_usernames: [developer@company.com]

 EVENT_TYPE: ConnectedAppUsageEventStore
  TIMESTAMP: "2024-01-27 14:45:15.456"
  TIMESTAMP_DERIVED: "2024-01-27 14:45:15.456"
  EVENT_DATE: "2024-01-27"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000OzQZB
  USER_ID_DERIVED: 0055f00000OzQZBEEF
  USER_NAME: developer@company.com
  USER_TYPE: Standard
  SOURCE_IP: 10.20.30.40
  REQUEST_ID: 6EwPBA5PmAA0GAT-zZYhU-
  CONNECTED_APP_ID: 0H05f000000XzBoCCL
  CONNECTED_APP_NAME: Test-Integration-App  # ⚠️ Suspicious name (contains "Test")
  CONNECTION_TYPE: oauth_api_call
  API_VERSION: "59.0"
  OAUTH_SCOPES: "api full"  # ⚠️ FULL access!
  p_event_time: "2024-01-27 14:45:15.456"
  p_log_type: Salesforce.ConnectedAppUsageEventStore
  p_any_ip_addresses: [10.20.30.40]
  p_any_usernames: [developer@company.com]

This ConnectedAppUsageEventStore event provides us with the CONNECTED_APP_NAME and the OAUTH_SCOPES. This is especially useful information for making note of high permissions being granted to an external app as well as the name of the application. Further alert context is helpful for investigation as it includes information like the source ip address, the username responsible for the activity, and a timestamp.

  EVENT_TYPE: ApiConnectedApp
  TIMESTAMP: "2024-01-28 03:15:45.123"
  TIMESTAMP_DERIVED: "2024-01-28 03:15:45.123"
  EVENT_DATE: "2024-01-28"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000PzRAC
  USER_ID_DERIVED: 0055f00000PzRACFFG
  USER_NAME: compromised.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 185.220.101.45  # ⚠️ Suspicious IP (Tor exit node)
  REQUEST_ID: 9ZaSGE8ShEE3NCY-DDZmZ-
  CONNECTED_APP_ID: 0H05f000000XzUnknown
  CONNECTED_APP_NAME: UnknownThirdPartyApp  # ⚠️ Contains "Unknown"
  CONNECTION_TYPE: oauth_api_call
  API_VERSION: "59.0"
  OAUTH_SCOPES: "api full refresh_token"  # ⚠️ FULL access + refresh token
  API_TOTAL_COUNT: 25000  # ⚠️ Excessive API calls in short period
  p_event_time: "2024-01-28 03:15:45.123"
  p_log_type: Salesforce.ApiConnectedApp
  p_any_ip_addresses: [185.220.101.45]
  p_any_usernames: [compromised.user@company.com]

  EVENT_TYPE: ApiConnectedApp
  TIMESTAMP: "2024-01-28 03:15:45.123"
  TIMESTAMP_DERIVED: "2024-01-28 03:15:45.123"
  EVENT_DATE: "2024-01-28"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000PzRAC
  USER_ID_DERIVED: 0055f00000PzRACFFG
  USER_NAME: compromised.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 185.220.101.45  # ⚠️ Suspicious IP (Tor exit node)
  REQUEST_ID: 9ZaSGE8ShEE3NCY-DDZmZ-
  CONNECTED_APP_ID: 0H05f000000XzUnknown
  CONNECTED_APP_NAME: UnknownThirdPartyApp  # ⚠️ Contains "Unknown"
  CONNECTION_TYPE: oauth_api_call
  API_VERSION: "59.0"
  OAUTH_SCOPES: "api full refresh_token"  # ⚠️ FULL access + refresh token
  API_TOTAL_COUNT: 25000  # ⚠️ Excessive API calls in short period
  p_event_time: "2024-01-28 03:15:45.123"
  p_log_type: Salesforce.ApiConnectedApp
  p_any_ip_addresses: [185.220.101.45]
  p_any_usernames: [compromised.user@company.com]

  EVENT_TYPE: ApiConnectedApp
  TIMESTAMP: "2024-01-28 03:15:45.123"
  TIMESTAMP_DERIVED: "2024-01-28 03:15:45.123"
  EVENT_DATE: "2024-01-28"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000PzRAC
  USER_ID_DERIVED: 0055f00000PzRACFFG
  USER_NAME: compromised.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 185.220.101.45  # ⚠️ Suspicious IP (Tor exit node)
  REQUEST_ID: 9ZaSGE8ShEE3NCY-DDZmZ-
  CONNECTED_APP_ID: 0H05f000000XzUnknown
  CONNECTED_APP_NAME: UnknownThirdPartyApp  # ⚠️ Contains "Unknown"
  CONNECTION_TYPE: oauth_api_call
  API_VERSION: "59.0"
  OAUTH_SCOPES: "api full refresh_token"  # ⚠️ FULL access + refresh token
  API_TOTAL_COUNT: 25000  # ⚠️ Excessive API calls in short period
  p_event_time: "2024-01-28 03:15:45.123"
  p_log_type: Salesforce.ApiConnectedApp
  p_any_ip_addresses: [185.220.101.45]
  p_any_usernames: [compromised.user@company.com]

  EVENT_TYPE: ApiConnectedApp
  TIMESTAMP: "2024-01-28 03:15:45.123"
  TIMESTAMP_DERIVED: "2024-01-28 03:15:45.123"
  EVENT_DATE: "2024-01-28"
  ORGANIZATION_ID: 00D5f000005uVo7
  USER_ID: 0055f00000PzRAC
  USER_ID_DERIVED: 0055f00000PzRACFFG
  USER_NAME: compromised.user@company.com
  USER_TYPE: Standard
  SOURCE_IP: 185.220.101.45  # ⚠️ Suspicious IP (Tor exit node)
  REQUEST_ID: 9ZaSGE8ShEE3NCY-DDZmZ-
  CONNECTED_APP_ID: 0H05f000000XzUnknown
  CONNECTED_APP_NAME: UnknownThirdPartyApp  # ⚠️ Contains "Unknown"
  CONNECTION_TYPE: oauth_api_call
  API_VERSION: "59.0"
  OAUTH_SCOPES: "api full refresh_token"  # ⚠️ FULL access + refresh token
  API_TOTAL_COUNT: 25000  # ⚠️ Excessive API calls in short period
  p_event_time: "2024-01-28 03:15:45.123"
  p_log_type: Salesforce.ApiConnectedApp
  p_any_ip_addresses: [185.220.101.45]
  p_any_usernames: [compromised.user@company.com]

Another sample event from the third-party integration monitoring detection is the ApiConnectedApp event. This event makes a note of the external app connected and its name under the CONNECTED_APP_NAME field. The OAUTH_SCOPES field notes the scopes that were granted to the connected app. This can provide context on the app permissions and bring our attention to high permissions granted. The API_TOTAL_COUNT field gives us the number of API calls which is imperative for determining excessive API calls within a short period of time.

During this attack the Shiny Hunters performed a number of API calls coming from non whitelisted IPs. Monitoring the ip addresses related to suspicious API call events is crucial to ensure the safety of your organization.

Attack Overview

Best Practices

Knowing what logs you have available goes a long way in acknowledging where to look. Salesforce has an event monitoring system that provides log sources including Real Time Event Monitoring (RTEM).

In terms of forensic investigations, Panther provides you with the ability to detect anomalous patterns, review user permissions, check user activities across log sources, and more. 

Tips for Investigation and Best Practices

• Frequent Credential Rotation

• Review Third Party Integrations

• Review Salesforce Event Monitoring Logs for Suspicious Activity

• Review Authentication Activity

• Search Salesforce Objects for Potential Secrets

• Use TruffleHog to find exposed or hard coded credentials and secrets

• Analyze API calls, Exports, and File Downloads

• Review User Permissions with “Who Sees What” Explorer

• Track User Activities Across Various Log Sources

For best practice, it is advised to frequently rotate credentials. Frequent credential rotation makes it more difficult for malicious actors to leverage compromised credentials. Relative to this, it is key to utilize tools such as TruffleHog to monitor your environment for exposed or hard coded credentials and secrets. Exposed secrets are the primary way that malicious actors carry out multi-chain attacks as seen in recent Salesforce integration breaches. As showcased in the Salesforce Drift and Gainsight incidents, third party integration monitoring is imperative for your organization's overall security posture. Performing regular audits of external integrations and leveraging Panther detections will allow your organization to be made aware of any unauthorized connections. Further, regular log auditing is vital to scope out activity including but not limited to, authentication activity, access logs, and data exfiltration. Panther’s passthrough rules for bulk data exfiltration will showcase potentially malicious instances of exfiltrated data for your examination. Ultimately, it is necessary to perform regular audits, integrate relevant detections, rotate credentials, and perform regular log monitoring to aid in the safety of your organization’s data while using the Salesforce application and any respective integrations.

Conclusion

The Salesloft Drift and Gainsight breaches targeted a large number of victims compromising a wide array of sensitive data. These integrations point to a bigger issue regarding how supply chain attacks can lead to massive data leaks and system compromise. Several notable companies were hit by this breach including but not limited to Cloudflare, Palo Alto Networks, Profpoint and more. The Salesforce Drift breach alone affected 700+ organizations while the Gainsight breach affected 200+ Salesforce customer instances. Not only did these breaches leak out CRM data, access keys, and Case objects, but these credentials were also reused to access other instances. This is exactly how the Shiny Hunters were able to chain attacks from the Salesloft Drift attack to the Gainsight attack. This was possible due to the fact that some Salesforce “Case” objects contain sensitive information such as support logs, configuration details, license information, and even embedded secrets. 

These breaches can lead to negative impact to organizations due to the potential for further exploitation as already depicted with the Salesloft Drift to Gain sight breaches. Further, breaches such as these also lead to operational disruption when integrations are suddenly revoked and deactivated. Incidents such as these shed light on the need for organizations to gauge supply chain attack risks that stem from third-party integrations. While disclosure on the exact impact of this incident is still under investigation, it is safe to say that this brings notice to the need for efficient detections.

Dig into more of Panther's threat research with our two part series: LLM Threats and Defensive Strategies.

Appendix

IOCs

Salesloft Drift Attack Sequence

Panther Detections

Threat-573: OAuth Credential Abuse Detection

Threat-576: Bulk Data Exfiltration Detection

Threat-575: Third-Party Integration Monitoring

Threat-574: API Activity Anomaly Detection

References

• https://www.salesforce.com/blog/a-primer-on-forensic-investigation-of-salesforce-security-incidents/

• https://blog.cloudflare.com/response-to-salesloft-drift-incident/?utm_source=cloudseclist.com&utm_medium=referral&utm_campaign=CloudSecList-issue-304/

• https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift

• https://developer.salesforce.com/docs/atlas.en-us.platform_events.meta/platform_events/sforce_api_objects_bulkapiresulteventstore.htm 

• https://help.salesforce.com/s/articleView?id=005229029&type=1

• https://www.salesforceben.com/hackers-stole-data-from-200-companies-following-salesforce-gainsight-breach/

• https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion

• https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/ 

• https://www.picussecurity.com/resource/blog/scattered-lapsus-hunters-2025s-most-dangerous-cybercrime-supergroup 

• https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-hardening-recommendations 

• https://techcrunch.com/2025/09/08/salesloft-says-drift-customer-data-thefts-linked-to-march-github-account-hack/ 

• https://communities.gainsight.com/community-news-2/salesforce-security-advisory-faqs-29809 

• https://help.salesforce.com/s/articleView?id=005229029&type=1 

• https://techcrunch.com/2025/11/21/google-says-hackers-stole-data-from-200-companies-following-gainsight-breach/?utm_campaign=social&utm_source=linkedin&utm_medium=organic