SaaS Threats are Escalating: A Follow-Up to Our Recent Analysis

Last week, we shared research on two concurrent threat actors targeting SaaS applications at global enterprises: UNC6040 (ShinyHunters/Scattered Spider), who rely on credential attacks and OAuth phishing, and UNC6395, a suspected nation-state threat actor who is exploiting integration weaknesses to move laterally across SaaS and cloud environments.

In a fireside chat with experts Brian Soby, CTO of AppOmni and former Salesforce Director of Product Security, and Christie Terrill, CISO at Bishop Fox, details surfaced that highlight how these adversaries are finding success.

TL;DR: 

• Campaigns expand beyond Salesforce into Google Workspace and Microsoft 365.
• Attackers are abusing OAuth device code flow to phish tokens directly.
• Salesforce administrators are being singled out through LinkedIn reconnaissance and voice phishing (vishing).

From Salesforce to Multi-SaaS Campaigns

Our earlier post noted that attackers were expanding their reach beyond Salesforce to ecosystems within Google Workspace and Microsoft 365. That view has since been confirmed in reporting via Security Boulevard. SaaS applications are interconnected by design, and adversaries are exploiting this by moving from a foothold in one platform into dozens more via integrations, tokens, and overly broad permissions.

The key message for defenders: SaaS compromise should be treated as a systemic risk.

Why Defending SaaS Is Different

Most organizations assume their SaaS provider handles the heavy lifting on security, but the reality is more nuanced. Vendors secure the underlying platform, infrastructure, and built-in controls. What they don’t manage is how customers configure their environments, grant permissions, or monitor for abuse. That responsibility falls squarely on the customer.

The challenge is that very few teams have full visibility into where secrets, tokens, and service accounts are stored inside their SaaS apps. When attackers compromise one of these, they often inherit legitimate access that blends in with normal activity. Without clear ownership of those assets or mature monitoring in place, defenders are struggling to determine the scope of the intrusion, let alone contain it quickly.

How These Campaigns Are Playing Out

Previously, we explained that attackers were using OAuth phishing and vishing campaigns to target SaaS users. In the fireside chat, we dug deeper into how those campaigns actually work in practice. Two details stood out:

• OAuth device code flow abuse: A login method meant for IoT and CLI tools is being weaponized. Attackers trick victims into completing the flow, then intercept the token directly, sometimes bypassing MFA altogether.

What makes this especially dangerous is that it produces a valid OAuth token, allowing attacker access to look legitimate in logs and making detection far more difficult. To mitigate, organizations should review which apps truly need device code flow, disable it where unnecessary, and closely monitor for unusual activity. Conditional access policies can further reduce risk by ensuring device code flows are only allowed from trusted devices, networks, or geographies, rather than being available universally.

• Human targeting with precision: Salesforce administrators are now in the crosshairs. Adversaries are mining LinkedIn to identify high-value accounts and then calling admins directly, using social pressure to push them into granting access or approving actions.

The critical issue is that administrators hold broad privileges, so a single successful phish can hand over control of the entire SaaS environment. Defenders can raise the bar by requiring phishing-resistant authentication (such as hardware tokens) for all admin accounts, treating every admin login as a privileged event worth monitoring, and training administrators on how to handle suspicious calls or requests.

Taken together, these specifics show how attackers are tightening both the technical and human sides of the same campaigns and where defenders can place security controls that actually move the needle.

You can watch the fireside chat now on-demand, or if you have any questions, reach out to your Bishop Fox representative or email [email protected].