Mitigating OAuth and Vishing Threat Risk in Your Salesforce® Environment

Major organizations have recently suffered data breaches targeting their Salesforce environments. Unlike traditional, hands-on hacking, these incidents often relied on insider manipulation and social engineering to steal sensitive customer data. In September, the Federal Bureau of Investigation (FBI) issued an FBI Flash addressing this threat.

Since mid-2024, English-speaking threat groups like ShinyHunters and GRUB1 have led these attack campaigns. Their tactics include exploiting open authorization (OAuth) misconfigurations and over-permissioned users and using voice phishing (vishing) to infiltrate Salesforce environments and extract sensitive data.

The good news is that organizations can take proactive action to protect themselves. Following is a breakdown of threat actors’ tactics and practical steps organizations can take to harden their Salesforce environments against OAuth and excess permissions exploitation and vishing attacks.

Attack tactics at a glance

Here’s how attackers breached Salesforce environments in recent incidents:

• Vishing attacks
  • Impersonated IT help desk staff over the phone
  • Tricked employees into revealing passwords or multifactor authentication codes
  • Coerced victims into connecting a malicious Salesforce data loader, which enabled a mass data exfiltration
• Compromised OAuth tokens
  • Used stolen tokens to pull data directly from Salesforce application programming interfaces
  • Exploited excessive employee permissions to maximize access and data theft

These attacks affected millions of data records. In some instances, they could have been stopped or limited through regular security hygiene best practices.

To better understand how these attacks happened – and how organizations can mitigate risk – it’s helpful to dive into how each attack vector works.

OAuth

OAuth has become a standard for modern applications because it simplifies integration between identity providers and business systems. Employees benefit by using a single set of credentials, and IT and security teams can centrally manage access and maintain an inventory of connected applications.

Despite these advantages, OAuth’s complexity can lead to misconfigurations. Overly permissive setups tend to grant users more access than they need. In real-world incidents, attackers have exploited excessive OAuth permissions to bypass traditional authentication and approval steps. For example, allowing employees to add tools, such as a corrupted Salesforce data loader tool, without proper review opens the environment up to risk.

OAuth hardening should be treated like any other critical system hardening:

• Formalize integration reviews. Require IT or security to validate each system before it’s connected via OAuth.
• Audit regularly. Confirm that connected applications are still needed for business operations.
• Enforce least privilege. Revisit permission structures to ensure users have only the minimum rights required. Identify integration-only users for each integration and application and grant specific permissions only to the required objects and fields for the integration.
• Control app integration. Define whether regular users can connect apps through OAuth and establish a review process to validate legitimacy.

By tightening controls and reducing unnecessary permissions, organizations can reap OAuth’s benefits without opening the door to abuse.

Excess permissions

The Salesforce platform stores sensitive customer data and powers key business operations, but its flexibility often leads to users being granted excessive permissions. Employees are often granted broad access rights to simplify onboarding, speed up business processes, or through the accumulation of technical debt, but this practice increases the risk of accidental data exposure and insider threats. Attackers who compromise an over-permissioned account can gain far more access than they should, which puts sensitive records and business workflows at risk.

Performing regular access reviews and using a role-based access control (RBAC) framework are foundational components of critical system security and should be applied to Salesforce instances as well.

• Permission reviews

• Conduct regular, structured user access reviews of profiles, login settings, permission sets, and access policies
• Align permissions with actual job responsibilities and validate those permissions with leaders responsible for each user role
• Repeat reviews after role changes, promotions, or departures

• Adopting RBAC

• Craft process maps and conduct interviews to define personas and jobs to be done
• Design access structure around permission sets, not profiles, to align with identified roles and tasks at the role level
• Implement RBAC design in the Salesforce environment and create a governance program for changes and personas

Crowe specialists use a unique RBAC model: a scalable permission framework specifically designed to address challenges within Salesforce instances. By building on a jobs-to-be-done-based design strategy, it follows a structured approach to permission sets (three per personae), uses read-only profiles, and provisions with user access policies. This framework simplifies user permissioning for business reviewers and technical staff, allows for greater security, and offers the benefit of speed and scale as opposed to legacy approaches.

Vishing

Vishing is a social engineering tactic attackers employ to impersonate trusted individuals or organizations via phone calls. Their goal is often to extract sensitive information, such as login credentials, or to pressure employees into taking immediate actions, like transferring funds or approving access.

Because these calls often sound convincing and exploit urgency, they can bypass technical defenses. In short, they rely on human error. Building awareness across the workforce is critical: Employees should be trained to slow down, question unexpected requests, and verify caller identities through trusted, independent channels.

Organizations can bolster defenses by incorporating vishing simulations and scenarios into their broader security awareness programs. This proactive step helps employees practice real-world responses and reinforces a culture of skepticism toward unsolicited calls. In addition, establishing clear escalation paths helps employees know where to report suspicious activity without fear of reprisal.

Salesforce platform security review

Crowe combines decades of leading risk, compliance, and cybersecurity experience with an experienced Salesforce team to deliver specialized Salesforce services in the marketplace.

Contact our team to schedule an initial 60-minute Salesforce security review to understand the best strategies to harden your Salesforce defenses.