SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsOrganizations using SaaS platforms must recognize that customers are the prime targets.
The authors of the FOR589 course discuss the growing threat of cybercriminal attacks against customers of Software-as-a-Service (SaaS) applications and platforms.
In this blog, we will discuss several recent cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake were extorted by threat actors from the English-speaking cybercriminal underground communities.
In August 2025, Google reported a cybercriminal campaign targeting Salesloft Drift, a SaaS platform and AI chatbot. The activity reportedly began on August 8, 2025, and expanded beyond Salesloft to affect Google Workspace via Drift’s Email integration.
By abusing stolen OAuth tokens, the adversary was able to exfiltrate sensitive corporate data and harvest credentials, such as AWS keys, Snowflake tokens, and passwords, with the intent of enabling further compromises.
Google tracked the incident to an uncategorized group (UNC6395), meaning they have not yet linked it to a known threat actor. Meanwhile, a Telegram collective calling itself “Scattered LAPSUS$ Hunters 4.0” claimed responsibility, though without verifiable proof.
At the time of writing, attribution remains uncertain due to overlapping tactics, techniques, and procedures (TTPs), fluid identities, bold claims, and the lack of root-cause evidence. While Mandiant’s UNC identifiers help track the activity clusters, it would be premature to definitively attribute the Salesloft Drift attack to ShinyHunters, SCATTERED SPIDER, or any other named group.
In June 2025, Google reported that a cybercriminal adversary used voice phishing (vishing) to target corporate Salesforce SaaS instances as part of a data theft extortion scheme. The adversary has repeatedly stated during extortion attempts they are affiliated with ShinyHunters, an infamous cybercriminal group.
The adversary impersonated IT support personnel over the phone, persuading their targets to authorize a malicious connected app in their organization’s Salesforce portal. Victims were instructed to enter a “connection code” that approved the adversary’s version of the Salesforce’s legitimate Data Loader app. Once connected, the adversary exfiltrated data from the organization’s Salesforce instance.
Google’s researchers also noted that adversary utilized infrastructure overlaps with phishing panels targeting Okta users, an enterprise single sign-on (SSO) provider commonly targeted by other cybercriminals affiliated with SCATTERED SPIDER. The adversary also reportedly used as well as IP addresses linked to Mullvad VPN.
Reported victims include Qantas, Allianz Life, Adidas, and LVMH subsidiaries (Louis Vuitton, Dior, and Tiffany & Co.), according to a BleepingComputer article. The Allianz Life database, stolen from the company's Salesforce instance, was later leaked to a Telegram channel called "ScatteredLapsuSp1d3rHunters" which had been created by the adversaries.
In mid-2024, Google reported a campaign targeting customer instances of Snowflake, a SaaS data warehouse platform. Attackers accessed databases of up to 165 customers using stolen valid login credentials.
The investigation by Google found that many unauthorized access incidents used valid login credentials stolen by infostealer malware. The threat actors responsible for the Snowflake campaign also identified themselves as ShinyHunters and Sp1d3rHunters.
The valid credentials belonged to third-party contractors hired to manage Snowflake instances. The investigation also identified that these contractors used personal and/or unmonitored laptops that were subsequently infected by infostealer malware. These devices had no antivirus or endpoint detection and response (EDR) software. Many were also used for personal activities such as playing cracked games or running pirated software, which are common delivery vectors for infostealer malware.
Data stolen from Snowflake instances was then offered on the English-speaking cybercrime community known as BreachForums, which was resurrected following a takedown by the FBI earlier in 2024.
According to a BleepingComputer article, the publicly known impact includes customers of AT&T, Santander, Ticketmaster, Advance Auto Parts, and LendingTree.
Organizations using SaaS platforms are the prime targets. These attacks are opportunistic, and the victims were targeted purely because they were customers of such providers.
Earlier this year, Patrick Opet the Chief Information Security Officer (CISO) of J.P.Morgan & Chase, published an open letter to SaaS suppliers. He urged providers to:
He emphasized these factors should be non-negotiable requirements for customers partnering with a SaaS provider.
Cybercriminal adversaries using monikers such as ShinyHunters, SCATTERED SPIDER, LAPSUS$, and Sp1d3rHunters are part of an amorphous collective with a fluid membership. Individuals come and go, often drawn from broader cybercrime communities on Telegram, Discord, or sites such as RaidForums, BreachForums, DarkForums, and OGUsers.
These communities are actively targeted and taken down by law enforcement agencies, but due to these communities containing thousands of members, enterprising criminal individuals continue to carry the torch and perpetuate this type of underground economy.
Organizations can reduce risk by adopting the following measures:
Mitigating attacks on SaaS applications requires a regular review of security controls and usage of such platforms. The cybercriminals will continue to use vishing, infostealers, and other TTPs commonly associated with adversaries like SCATTERED SPIDER.
In our SANS FOR589 class, students will learn how to:
Sign up for a demo or register for FOR589: Cybercrime Investigations today to gain the skills needed to generate actionable intelligence to defend against the some of the most notorious cybercriminals.
Will has revolutionized cyber threat intelligence by co-founding Curated Intelligence and exposing ransomware operations like Black Basta. His expertise in infiltrating dark web communities has advanced how we dismantle cybercriminal networks.
Read more about Will Thomas