TL;DR: Recent attacks on LVMH companies, Adidas, Qantas and Allianz Life suggest a repeatable path into local environments through a third-party CRM platform, with social engineering used to enroll malicious tooling and reach connected systems such as Okta and Microsoft 365, according to Swarmnetics and Google Threat Intelligence Group. The pattern shows that delegated trust, not the CRM platform itself, is the weak point in many identity and access controls.
At a glance
What this is: The article argues that recent attacks attributed to ShinyHunters and Scattered Spider likely exploited CRM trust relationships, social engineering, and connected identity platforms rather than the CRM provider itself.
Why it matters: This matters to IAM, PAM, and NHI practitioners because third-party access paths, delegated trust, and connected identities can turn one compromised user journey into broad downstream exposure.
👉 Read Swarmnetics' analysis of the ShinyHunters and Scattered Spider attribution pattern
Context
Third-party CRM access often becomes an implicit trust channel, especially when employees can authorise connected tools or support workflows without strong step-up verification. In that situation, the problem is not just credential theft, but the way identity governance extends trust across systems that were never meant to share the same blast radius. For identity teams, this is a governance issue as much as a phishing issue.
The article’s central claim is that recent attacks on high-profile organisations may reflect a repeatable social engineering pattern that uses legitimate identity workflows to open the door, then pivots into adjacent SaaS and identity platforms. That makes the topic relevant to IAM, NHI, and human identity programmes because one compromised human interaction can cascade into machine-to-machine access and privileged application exposure.
Key questions
Q: How should security teams handle trust decisions in SaaS connected-app workflows?
A: Security teams should treat connected-app approval as a privileged control point, not a user convenience feature. Require step-up verification, restrict who can authorise integrations, log every new trust event, and review the downstream systems that inherit access. If an approval can open paths into identity platforms, it belongs in the same governance tier as admin access.
Q: Why do CRM and SaaS integrations increase lateral movement risk?
A: Because one approved connection can extend identity trust across multiple systems, including SSO, collaboration, and data platforms. The attacker does not need to steal every password if they can leverage a legitimate trust event to reach connected services. That is why integration inventory and token governance matter as much as endpoint security.
Q: What do organisations get wrong about social engineering defence?
A: They often treat it as an awareness problem instead of a workflow problem. Training helps, but the stronger fix is to redesign the identity path so that one mistaken approval, reset, or exception cannot complete a high-risk action.
Q: Who is accountable when a contractor or support path opens a SaaS breach?
A: Accountability should sit with the system owner, the identity team, and the third-party access owner together. Contractor access, support impersonation risk, and connected-app permissions are not separate problems when they combine into one access path. Frameworks such as NIST CSF and NIST SP 800-53 both expect clear access governance and review.
Technical breakdown
How malicious Data Loader enrolment bypasses trust boundaries
The reported attack path uses a trusted CRM feature as the entry point. An attacker persuades an employee with Salesforce access to connect a malicious version of Data Loader by supplying an eight-digit code, which the platform treats as a legitimate trust establishment. That is a classic abuse of delegated authorisation: the user is not handing over a password, but is still granting access to an attacker-controlled client. Once the connection exists, the attacker can operate inside the CRM boundary as if it were approved.
Practical implication: control which apps can be enrolled through CRM trust workflows and require stronger verification before granting a new connected client.
Why connected identity platforms expand lateral movement options
Once inside the CRM environment, the article says attackers can pivot into connected platforms such as Okta and Microsoft 365. The technical issue is not just access, but federation and integration density. When SaaS systems share identity signals, tokens, or admin pathways, a foothold in one application can become a route to others. That makes CRM compromise materially different from a simple account takeover, because the real risk is chained access across the identity stack rather than one isolated application session.
Practical implication: map downstream connections from business-critical SaaS platforms and treat them as part of the same access control boundary.
How social engineering supports data exfiltration without ransomware
Swarmnetics describes a stealthier pattern in which the attackers negotiate privately for ransom and do not deploy ransomware once inside. That changes the control problem. The objective is data theft, leverage, and quiet persistence rather than noisy disruption, so traditional malware-centric detection may miss the core abuse. The social engineering layer matters because it creates the initial approval signal, while the post-entry behaviour focuses on exfiltration through legitimate cloud and SaaS channels.
Practical implication: monitor for unusual consent, connected-app creation, and high-volume export activity rather than relying only on malware alerts.
Threat narrative
Attacker objective: The attacker seeks quiet access to customer and corporate data across connected SaaS environments, then uses that access to extort the victim privately.
- Entry occurs when an employee with CRM access is convinced to connect a malicious Data Loader instance through a trusted-code workflow.
- Credential or session abuse follows as the attacker operates inside the CRM boundary with legitimate-looking application trust and can reach adjacent identity services.
- Impact comes from lateral movement into connected platforms and data exfiltration, often with private ransom negotiation instead of visible ransomware deployment.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Delegated SaaS trust is now a primary identity governance risk. The article shows that a CRM workflow can become an approval channel for malicious tooling when users are tricked into authorising a connection. That is not a vendor-specific failure, it is a governance failure around who can create trust, how that trust is verified, and what downstream systems inherit the result. Practitioners should treat connected-app approval as a privileged action, not a routine user gesture.
CRM compromise should be analysed as identity-chain exposure, not just application abuse. The important detail is the pivot into Okta and Microsoft 365 after the CRM foothold. That shows why IAM teams need to map inter-application trust paths, because the blast radius comes from linked identities and tokens, not from the first application alone. The practitioner conclusion is to govern the chain, not only the source system.
Social engineering is being used to manufacture legitimate trust events. The attackers do not need to break cryptography if they can get a human to complete an approval flow that the platform already accepts. That makes English-language support impersonation, eight-digit code workflows, and contractor access review part of the same control story. Practitioners should assume approval workflows are adversary terrain.
Shadow delegation creates hidden exposure in NHI and human identity programmes. Where SaaS integrations and support tools are loosely governed, machine-to-machine access can expand quietly behind the scenes. This is where NHIs and human identities intersect: a human action creates a non-human trust relationship that then persists beyond the original session. The named concept here is delegated trust spillover, and it is now a core control gap for identity teams.
Private extortion models change the detection and response threshold. If attackers can exfiltrate data without ransomware noise, organisations cannot wait for destructive indicators before responding. Identity teams need a response model that treats unusual connected-app authorisation and cross-platform access as active compromise. The practitioner conclusion is to shorten the time between trust creation and trust review.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to the same research.
- The full State of Secrets in AppSec report adds budget, remediation, and AI exposure context for teams mapping this risk to programme priorities.
What this signals
Delegated trust spillover is the control gap identity teams need to track in SaaS-heavy environments. Once a user can authorise a connector or support path that extends into identity platforms, the risk moves from one account to an access chain that is harder to see and slower to unwind. That is why CRM, SSO, and collaboration governance now belong in the same access review conversation.
The operational signal is to watch for high-friction approval events, unusual connected-app growth, and contractors who can trigger broad trust changes. Identity teams should align those signals with platform logs and review them alongside the MITRE ATT&CK Enterprise Matrix for initial access and lateral movement patterns, because the compromise path is social engineering first and privilege expansion second.
For programmes with machine identity in scope, the lesson is broader than the CRM itself. When a human authorisation creates a persistent non-human connection, identity governance has to account for the lifecycle of that connection, not just the person who clicked approve. That is where NHI governance, SaaS access control, and offboarding discipline intersect.
For practitioners
- Harden connected-app approval workflows Require step-up verification for any new Data Loader, OAuth, or connected-app approval in CRM and adjacent SaaS platforms. Treat code-based authorisation as privileged access, and restrict who can authorise trusted integrations.
- Map downstream SaaS trust chains Inventory which identity platforms and collaboration tools inherit access from CRM systems, including Okta and Microsoft 365. Review token propagation, delegated admin rights, and support workflows so one foothold cannot silently extend into multiple systems.
- Train staff on support impersonation patterns Educate employees with CRM or admin access about fake IT support calls, malicious connector prompts, and urgent code-sharing requests. Focus training on the exact approval moment, because that is where the attacker wins the trust event.
- Review contractor and third-party access Reassess contractor identity, support desk privileges, and external access paths that can create approval opportunities in SaaS environments. Tighten offboarding, contract-end review, and access scoping so third parties do not become the easiest trust bridge.
Key takeaways
- The article points to a trust-chain problem, not a single-platform compromise.
- The strongest warning sign is the combination of social engineering, connected-app approval, and cross-platform pivoting.
- Identity teams should govern delegated trust events with the same rigour as admin access and secret issuance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0001 , Initial Access; TA0006 , Credential Access; TA0008 , Lateral Movement; TA0010 , Exfiltration | The article centers on social engineering, platform access, and cross-system pivoting. |
| NIST CSF 2.0 | PR.AC-4 | The issue is over-broad access and weak trust governance across connected applications. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is directly relevant to limiting what a compromised trust path can reach. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Delegated trust and exposed connected credentials create NHI-style governance risk across SaaS tools. |
Map the intrusion path to ATT&CK stages and prioritise detections for approval abuse and SaaS lateral movement.
Key terms
- Delegated Trust Spillover: A condition where one approved application or user action creates trust in additional systems beyond the original intent. In practice, this means a single consent event, connector approval, or support workflow can extend identity reach across SaaS platforms and expand the blast radius of compromise.
- Connected-App Approval: The process by which a user or administrator allows a third-party or internal application to integrate with a core platform such as CRM, SSO, or collaboration tools. If poorly governed, it becomes a privileged action that attackers can exploit through social engineering or malicious client enrolment.
- Identity Chain Visibility: Identity chain visibility is the ability to see the full path from initiating user to workload identity to the privileges used during execution. It matters in agentic systems because accountability depends on connecting human intent, machine action, and access context in one auditable trail.
What's in the full analysis
Swarmnetics' full analysis covers the operational detail this post intentionally leaves for the source:
- The article’s line-by-line attribution clues for why the attacks were initially misread as Scattered Spider activity
- The attack sequence around Salesforce CRM access, malicious Data Loader trust establishment, and the eight-digit code workflow
- The reasoning behind the hypothesis that ShinyHunters focused on exfiltration and private ransom negotiation rather than ransomware
- The context on how contractor posture and English-language support impersonation factor into the intrusion chain
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, agentic AI identity, machine identity security, IAM, and secrets management. It helps security practitioners align identity controls with real-world access patterns across human and non-human systems.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org