Salesforce | Breaking Cybersecurity News | The Hacker News

Microsoft Teams' cross-tenant collaboration feature, which allows external accounts to message employees directly, is enabled by default in most enterprise deployments . Most organizations have never audited or restricted it. That default setting has become one of the more reliable social engineering entry points security teams are managing today. The base attack is straightforward. An attacker creates an external Teams account, identifies a target through LinkedIn or a company directory, and sends a message posing as IT helpdesk staff. The message cites an urgent account issue (an MFA problem, a security alert, a failed login) and asks the employee to open Quick Assist, a built-in Microsoft remote assistance tool, and approve a session. What has changed recently is the layer added on top of that initial contact: an AI-generated voice that sounds like someone the target already knows. How the Base Attack Chain Unfolds Once Quick Assist access is established, the attack fol...

AI is changing the security landscape. More and more threat groups incorporate LLMs into their reconnaissance and exploitation workflows. The notion that some vulnerabilities are too complex to implement is now obsolete. Using LLMs, hackers can automatically find and exploit complex vulnerabilities. We have all heard of Claude Mythos and its ability to identify vulnerabilities in large codebases and exploit them automatically. But LLMs can do more than find vulnerabilities in code. ShinyHunters has scanned thousands of Salesforce Sites. They used a modified version of "AuraInspector". They possibly used an LLM to code their framework, mods, reconnaissance tools, and other aspects of their workflow. But the next step is to use AI to supercharge the attack process itself. We at Reco decided to explore what it would look like. Reco's security research team built an AI-powered agent capable of performing end-to-end security assessments of Salesforce Experience Cloud sit...

ShinyHunters is a notorious cybercrime group that has resurfaced with a new playbook of SaaS-focused attacks. Known for monetizing stolen data on underground forums since 2020, ShinyHunters has historically breached companies by stealing credentials and databases. Recently, however, they've shifted tactics to aggressive social engineering, mirroring the methodology of the Scattered Spider group. Instead of exploiting software vulnerabilities, ShinyHunters now exploits human trust, targeting the underbelly of third-party SaaS platforms through impersonation and phishing. In mid-2025, a wave of breaches struck companies like Google, Workday, Pandora, Cisco, Chanel, and others, all tied together by one common thread: the attackers leveraged access to these firms' Salesforce CRM or similar cloud systems. Below, we look at what happened in the Google and Workday breaches, examine techniques ShinyHunters used, and demonstrate how a dynamic SaaS security approach (like Reco's) could have...

Automated tools give you visibility. Adversarial testing gives you clarity. In Salesforce environments, you need both. The Problem with Checkbox Security in a Platform-Centric World Salesforce has become more than just a CRM—it's the backbone of how many organizations operate. It holds customer data, governs workflows, drives revenue, and connects to dozens of internal and third-party systems. But that complexity is exactly what makes it hard to secure. And too often, security teams rely solely on generic scans or scheduled audits that were never designed to handle the nuance of Salesforce's layered permissions, custom logic, and evolving integrations. The result? A lot of surface-level findings—and a lot of assumptions about what those findings actually mean. Automation Is Essential—But It's Only One Layer There's no question that modern scanning tools play a vital role in Salesforce security. The right platforms can surface deeply nested permissions, cross-object access paths,...

Salesforce Is Mission-Critical, but That Doesn't Mean It's Protected At the beating heart of customer operations, the scope of Salesforce goes well and beyond traditional customer relationship management (CRM) systems. As a system of records, a sales engine, a service dashboard, and a repository for years of business-critical insight, deals flow through it continuously. Strategies depend on it. Customer relationships live or die by what they contain.  Yet, despite this, a dangerous misconception persists: "It's in the cloud, so it must be safe." Unfortunately, this assumption is as costly as it is common.  Here's the reality. Salesforce operates under a shared responsibility model , meaning your cloud provider — in this case, Salesforce — is responsible for platform uptime, infrastructure integrity, and security of the cloud. But you, the customer, are responsible for its actual content (your data, your metadata, and your configurations). So, while Salesforce protects th...