Google Cloud Threat Intelligence recently reported a data theft campaign targeting Salesforce customers through compromised OAuth tokens. In this case, attackers stole Salesforce OAuth and refresh tokens from a third-party integration (Salesloft Drift) and used them to access and exfiltrate sensitive data including AWS access keys, passwords, and Snowflake tokens.
OAuth tokens are trusted by Salesforce and can provide persistent access without requiring stolen passwords or bypassing multi-factor authentication (MFA). This makes token abuse especially difficult to detect through traditional security controls.
What this means for potentially impacted organizations
If an attacker obtains OAuth tokens, they can access Salesforce data with the same privileges as a legitimate application or user. Because Salesforce trusts these tokens, malicious activity can occur without raising the typical alarms you would expect from account compromise. In this campaign, stolen Salesforce tokens were used to retrieve cloud credentials, which were then leveraged to target downstream services such as AWS and Snowflake.
What you can do now
Here are some steps you can take internally to help protect your organization:
Review Salesforce Connected App tokens and revoke any that are unused or overly broad in their permissions.
Enable Salesforce Event Monitoring to ensure logging of OAuth token activity, API calls, and data export operations. InsightIDR customers can set up Salesforce logs within IDR (instructions here) for user account and authentication monitoring. If you are utilizing Salesforce Threat Detection, there are instructions to set up ingestion for those here.
Consider rotating long-lived or high-privilege tokens to reduce the risk of persistence if they were compromised.
How Rapid7 MDR is responding
Our global team is actively monitoring for this activity across MDR customer environments.
We are conducting a proactive hunt for indicators of compromise (IOCs) associated with this campaign. This helps us identify and investigate potential malicious token use.
For customers with AWS GuardDuty integrated into MDR, we are paying close attention to alerts that could indicate the use of compromised access keys. Examples include unusual API calls, access from unexpected regions, or data exfiltration activity.
Key takeaway
OAuth tokens should be treated as high-value credentials. If stolen, they allow attackers to operate with trusted access to your Salesforce environment and potentially downstream cloud services. Rapid7 MDR is actively hunting for indicators tied to this campaign and closely monitoring AWS GuardDuty alerts for signs of compromised access keys.