Salesforce has warned of an increase in threat actor activity that's aimed at exploiting misconfigurations in publicly accessible Experience Cloud sites by making use of a customized version of an open-source tool called AuraInspector.
The activity, per the company, involves the exploitation of customers' overly permissive Experience Cloud guest user configurations to obtain access to sensitive data.
"Evidence indicates the threat actor is leveraging a modified version of the open-source tool AuraInspector [...] to perform mass scanning of public-facing Experience Cloud sites," Salesforce said.
"While the original AuraInspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings."
AuraInspector refers to an open-source tool designed to help security teams identify and audit access control misconfigurations within the Salesforce Aura framework. It was released by Google-owned Mandiant in January 2026.
Publicly accessible Salesforce sites use a dedicated guest user profile that enables an unauthenticated user to access landing pages, FAQs, and knowledge articles. However, if this profile is misconfigured with excessive permissions, it can potentially grant unauthenticated users access to more data than intended.
As a result, an attacker could exploit this security weakness to directly query Salesforce CRM objects without logging in. For this attack to work, two conditions have to be satisfied by Experience Cloud customers: they are using the guest user profile and have not adhered to Salesforce's recommended configuration guidance.
"At this time, we have not identified any vulnerability inherent to the Salesforce platform associated with this activity," Salesforce said. "These attempts are focused on customer configuration settings that, if not properly secured, may increase exposure."
The company attributed the campaign to a known threat actor group without taking its name, raising the possibility that it could be the work of ShinyHunters (aka UNC6240), which has a history of targeting Salesforce environments via third-party applications from Salesloft and Gainsight.
Salesforce is recommending customers review their Experience Cloud guest user settings, ensure the Default External Access for all objects is set to Private, disable guest users' access to public APIs, restrict visibility settings to prevent guest users from enumerating internal organization members, disable self-registration if not required, and monitor logs for unusual queries.
"This threat actor activity reflects a broader trend of 'identity-based' targeting," it added. "Data harvested in these scans, such as names and phone numbers – is often used to build follow-on targeted social engineering and 'vishing' (voice phishing) campaigns."
Update
According to screenshots shared by Dark Web Informer on X, ShinyHunters has claimed to have breached "several hundred" companies as part of the Salesforce Aura Campaign.
"We are aware of a threat actor attempting to identify misconfigurations within the Salesforce Experience Cloud instances," Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, told The Hacker News. "We are working closely with Salesforce and our customers to provide the necessary telemetry and detection rules to mitigate potential risk."
In a separate advisory, Palo Alto Networks Unit 42 said it has responded to "numerous" incidents across various industries involving vishing that have resulted in data theft and extortion. Targeted sectors included financial services, manufacturing, professional and legal services, and retail.
"Most of this activity is likely associated with Bling Libra (aka ShinyHunters) or threat actors affiliated with the broader Scattered LAPSUS$ Hunters alliance," researchers Matt Brady and Cuong Dinh said. "In one 2025 case, we saw the threat actors move from access to impact (data exfiltration) in less than 60 seconds."
The attack begins with strategic vishing, where the attackers initiate contact by sourcing employee details from professional social networks. The threat actors have been found to impersonate internal IT staff, urging them to set up an SSO passkey as part of a mandatory deadline.
As part of these efforts, victims are instructed to use a mobile device to navigate to a visually identical phishing domain to bypass corporate firewalls and URL inspection tools. Furthermore, the attackers have been found to use legitimate numbers with fraudulent Caller Name (CNAM) records to appear as "IT Staff" to avoid triggering spam alerts.
As soon as the victim interacts with the phishing page, an adversary-in-the-middle (AitM) framework is used to harvest credentials and security codes in real-time, while relaying them to the authentic SSO portal as so as to complete the login.
The attackers then leverage the stolen credentials to enroll a new multi-factor authentication (MFA) instance, such as an Android emulator. The rogue device is named "Passkey" within the system settings to give the impression to the victim that it was done so as to complete the passkey setup.
In the final stage, the attackers move laterally through the SaaS dashboard, a technique called living-off-the-SaaS, to harvest data from compromised networks.
"Upon gaining access, the first step is often to delete 'New Device' or 'Login' alerts from the victim's inbox to prevent discovery," Unit 42 said. "If internal resources are required, they use the compromised credentials to authenticate through enterprise VPN clients."
"The group prioritizes applications with inherent bulk-export capabilities. SaaS platforms like CRMs are a primary target; attackers frequently generate unfiltered 'Contacts & Accounts' reports, maximizing field counts to ensure total data exfiltration. With other SaaS platforms, attackers prioritize downloading files with keywords or labeled as 'confidential' or 'sensitive.'"
