They didn’t phish the #password. They phished the OAuth grant. ShinyHunters pivoted to #Salesforce at cloud scale: vishing → OAuth Device Flow → refresh_token persistence → bulk CRM exfil—often no fresh #MFA, no #malware beacons. Our Threat Intel Lab reverse‑engineered the 2025 #playbook and published TTPs, IOCs, and detections. 1️⃣Identity is the perimeter; trusted auth #UX is the new exploit surface. 2️⃣ #CRM fidelity (PII, loyalty IDs, HNW segments) supercharges extortion leverage. If You Can Defend Now 1️⃣ SSO‑only + #phishing‑resistant MFA; kill SMS/voice fallbacks. 2️⃣Govern #OAuth: pre‑approve apps, least‑privilege scopes, alert on new grants/scope elevation. 3️⃣Monitor device flow use, refresh_token issuance, large #SOQL/#API exports, off‑geo access. Full report: secureblink.com/threat-researc… #ShinyHunters #Salesforce #OAuth #Vishing #CTI #SaaS #DFIR #ThreatResearch #SecureBlink