Salesforce connected app abuse: what IAM teams missed

TL;DR: Attackers used vishing to trick employees into authorising malicious connected apps or installing modified Data Loader tools, then stole Salesforce data and in some cases moved laterally into other cloud services, according to Unosecur. The real failure is shared responsibility without tight identity governance, because access granted by deception can outlive the moment of compromise.

NHIMG editorial — based on content published by Unosecur: Salesforce breach 2025 and the shared responsibility model

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams govern connected apps in SaaS environments?

A: Treat connected apps as privileged identity extensions, not low-risk integrations.

Q: Why do malicious OAuth apps create more risk than a simple phishing email?

A: A phishing email ends when the user ignores it, but a malicious OAuth app can create valid delegated access that survives after the initial trick.

Q: What do organisations get wrong about SaaS breach prevention?

A: They often focus on the platform configuration and miss the approval path that gives attackers access in the first place.

Practitioner guidance

• Tighten connected app approval governance Require security review for new OAuth applications, constrain high-risk scopes, and block self-approval for sensitive integrations.
• Validate support workflows against voice phishing Create out-of-band verification for any request to install tooling, approve access, or change integration settings.
• Instrument authorisation events for anomaly detection Alert on new connected apps, unusual OAuth grants, unexpected admin tool installation, and scope changes that increase data access.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step guidance for detecting malicious Salesforce connected apps and suspicious consent events.
• Operational examples of identity threat detection and response for SaaS environments.
• More detail on limiting privilege drift across Salesforce integrations and adjacent cloud services.
• Practical framing for audit-ready reporting after a SaaS identity incident.

👉 Read Unosecur's analysis of the 2025 Salesforce breach wave →

Salesforce connected app abuse: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →