[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-microsoft-upgrades-defender-after-shinyhunters-oauth-campaign":10,"sections":34},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":24,"tags":25,"sources":29,"feedback":33,"feedback_at":22,"cost_usd":33,"total_tokens":33},4698,"microsoft-upgrades-defender-after-shinyhunters-oauth-campaign","Microsoft Upgrades Defender After ShinyHunters OAuth Campaign","Microsoft is adding richer telemetry and OAuth governance to Defender for Cloud Apps after a year-long Salesforce attack hit up to 700 organizations.","A cybercrime group exploited trusted OAuth connections to raid hundreds of Salesforce environments — and Microsoft is now shipping new defenses in response.\n\nShinyHunters ran a two-phase campaign. First, operatives cold-called employees, impersonated IT support, and convinced them to authorize a fake Salesforce Data Loader app that handed over OAuth permissions. Because everything flowed through legitimate authentication and official APIs, the activity looked like normal user behavior. The group then shifted tactics, compromising third-party SaaS vendors — including integrations tied to Salesloft's Drift, Gainsight, and Klue — to steal OAuth tokens and reach hundreds of downstream customer environments without ever touching those customers directly. Google told reporters it was tracking more than 700 potentially affected organizations.\n\nMicrosoft's response focuses on two areas: better detection and investigation, and tighter governance over connected apps. Defender for Cloud Apps is getting near-real-time detection, richer API and OAuth telemetry, connected application attribution, and permission risk scoring with lifecycle management. Notably, Microsoft worked with Salesforce directly on the telemetry improvements. The company is explicit that no Salesforce vulnerability was involved — the attackers simply abused trust that was already there.\n\nThat last point deserves attention. OAuth abuse is not new, and the SaaS supply chain angle mirrors tactics seen in earlier campaigns against identity providers. When the attack surface is a permission model that works exactly as designed, detection is the only lever — which is precisely why Microsoft is pulling it now, roughly a year after the campaign began.","[\"security\",\"oauth\",\"salesforce\",\"microsoft\"]","2026-07-14T16:05:00.000Z","2026-07-14T16:52:38.418Z","2026-07-14T16:52:41.793Z","published",null,[],"security",[24,26,27,28],"oauth","salesforce","microsoft",[30],{"name":31,"url":32},"TechRadar","https:\u002F\u002Fwww.techradar.com\u002Fpro\u002Fsecurity\u002Fa-single-entry-point-can-rapidly-expand-to-greater-enterprise-impacts-microsoft-introduces-changes-to-tackle-shinyhunters",0,{"sections":35},[36,41,45,50,55,60,65,70,75,80,85,89,94,99],{"name":37,"slug":38,"count":39,"latest_published_at":40},"AI","ai",2583,"2026-07-15T21:33:20.000Z",{"name":42,"slug":24,"count":43,"latest_published_at":44},"Security",294,"2026-07-15T19:59:48.000Z",{"name":46,"slug":47,"count":48,"latest_published_at":49},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":51,"slug":52,"count":53,"latest_published_at":54},"Policy","policy",158,"2026-07-16T00:02:48.000Z",{"name":56,"slug":57,"count":58,"latest_published_at":59},"Hardware","hardware",122,"2026-07-14T19:46:26.000Z",{"name":61,"slug":62,"count":63,"latest_published_at":64},"Consumer Tech","consumer-tech",93,"2026-07-13T13:20:48.000Z",{"name":66,"slug":67,"count":68,"latest_published_at":69},"Software","software",70,"2026-07-13T19:52:25.000Z",{"name":71,"slug":72,"count":73,"latest_published_at":74},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":76,"slug":77,"count":78,"latest_published_at":79},"Dev Tools","dev-tools",59,"2026-07-07T04:00:00.000Z",{"name":81,"slug":82,"count":83,"latest_published_at":84},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":86,"slug":87,"count":83,"latest_published_at":88},"Startups","startups","2026-06-29T20:55:50.000Z",{"name":90,"slug":91,"count":92,"latest_published_at":93},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":95,"slug":96,"count":97,"latest_published_at":98},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":100,"slug":101,"count":102,"latest_published_at":103},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]