Hunting SaaS Threats: Insights from the FOR589 Course on Cybercriminal Campaigns

In this blog, we will discuss several recent cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake were extorted by threat actors from the English-speaking cybercriminal underground communities. 

SaaS Security Challenges

• Using third-party SaaS applications hosted in the cloud has become the default approach for modern businesses to store and process their data. 
• SaaS security operates under a shared-responsibility model between providers and customers. In most cases, providers supply the security settings and customers are responsible for configuring them correctly. 
• Misconfiguration remain one of the most common weaknesses, often introduced when customers fail to properly secure their SaaS applications. 
• Cybercriminals exploit these misconfigurations to exfiltrate vast amounts of data from customer instances.
• Victims are then extorted, with stolen data frequently sold or leaked on cybercriminal forums. 

Salesloft Drift Token Theft 

In August 2025, Google reported a cybercriminal campaign targeting Salesloft Drift, a SaaS platform and AI chatbot. The activity reportedly began on August 8, 2025, and expanded beyond Salesloft to affect Google Workspace via Drift’s Email integration.

By abusing stolen OAuth tokens, the adversary was able to exfiltrate sensitive corporate data and harvest credentials, such as AWS keys, Snowflake tokens, and passwords, with the intent of enabling further compromises. 

Google tracked the incident to an uncategorized group (UNC6395), meaning they have not yet linked it to a known threat actor. Meanwhile, a Telegram collective calling itself “Scattered LAPSUS$ Hunters 4.0” claimed responsibility, though without verifiable proof. 

At the time of writing, attribution remains uncertain due to overlapping tactics, techniques, and procedures (TTPs), fluid identities, bold claims, and the lack of root-cause evidence. While Mandiant’s UNC identifiers help track the activity clusters, it would be premature to definitively attribute the Salesloft Drift attack to ShinyHunters, SCATTERED SPIDER, or any other named group. 

Vishing Attacks Target Salesforce Customers 

In June 2025, Google reported that a cybercriminal adversary used voice phishing (vishing) to target corporate Salesforce SaaS instances as part of a data theft extortion scheme. The adversary has repeatedly stated during extortion attempts they are affiliated with ShinyHunters, an infamous cybercriminal group. 

The adversary impersonated IT support personnel over the phone, persuading their targets to authorize a malicious connected app in their organization’s Salesforce portal. Victims were instructed to enter a “connection code” that approved the adversary’s version of the Salesforce’s legitimate Data Loader app. Once connected, the adversary exfiltrated data from the organization’s Salesforce instance. 

Google’s researchers also noted that adversary utilized infrastructure overlaps with phishing panels targeting Okta users, an enterprise single sign-on (SSO) provider commonly targeted by other cybercriminals affiliated with SCATTERED SPIDER. The adversary also reportedly used as well as IP addresses linked to Mullvad VPN. 

Reported victims include Qantas, Allianz Life, Adidas, and LVMH subsidiaries (Louis Vuitton, Dior, and Tiffany & Co.), according to a BleepingComputer article. The Allianz Life database, stolen from the company's Salesforce instance, was later leaked to a Telegram channel called "ScatteredLapsuSp1d3rHunters" which had been created by the adversaries. 

Stolen Credentials Used to Target Snowflake Customers 

In mid-2024, Google reported a campaign targeting customer instances of Snowflake, a SaaS data warehouse platform. Attackers accessed databases of up to 165 customers using stolen valid login credentials.

The investigation by Google found that many unauthorized access incidents used valid login credentials stolen by infostealer malware. The threat actors responsible for the Snowflake campaign also identified themselves as ShinyHunters and Sp1d3rHunters. 

The valid credentials belonged to third-party contractors hired to manage Snowflake instances. The investigation also identified that these contractors used personal and/or unmonitored laptops that were subsequently infected by infostealer malware. These devices had no antivirus or endpoint detection and response (EDR) software. Many were also used for personal activities such as playing cracked games or running pirated software, which are common delivery vectors for infostealer malware. 

Data stolen from Snowflake instances was then offered on the English-speaking cybercrime community known as BreachForums, which was resurrected following a takedown by the FBI earlier in 2024.  

According to a BleepingComputer article, the publicly known impact includes customers of AT&T, Santander, Ticketmaster, Advance Auto Parts, and LendingTree. 

Outlook 

Organizations using SaaS platforms are the prime targets. These attacks are opportunistic, and the victims were targeted purely because they were customers of such providers. 

Earlier this year, Patrick Opet the Chief Information Security Officer (CISO) of J.P.Morgan & Chase, published an open letter to SaaS suppliers. He urged providers to:  

• Provide secure-by-default configurations 
• Increase transparency about risks 
• Provide clearer guidance on control management  

He emphasized these factors should be non-negotiable requirements for customers partnering with a SaaS provider. 

Attribution 

Cybercriminal adversaries using monikers such as ShinyHunters, SCATTERED SPIDER, LAPSUS$, and Sp1d3rHunters are part of an amorphous collective with a fluid membership. Individuals come and go, often drawn from broader cybercrime communities on Telegram, Discord, or sites such as RaidForums, BreachForums, DarkForums, and OGUsers. 

These communities are actively targeted and taken down by law enforcement agencies, but due to these communities containing thousands of members, enterprising criminal individuals continue to carry the torch and perpetuate this type of underground economy. 

Recommended Best Practices 

Organizations can reduce risk by adopting the following measures: 

• Maintain plans to review, revoke, and rotate exposed credentials while strengthening access controls across connected applications, this includes up-to-date documentation around system and service ownership and contact details. 
• Enforce strict compliance and policies for IT contractors accessing corporate SaaS platforms in the cloud. 
• Integrate SaaS platforms with single sign-on (SSO) providers using multi-factor authentication. 
• Use IP address allow-listing and role-based access control (RBAC) to restrict data export capabilities. 
• Perform network event logging of SaaS activities and use IP address enrichment threat feeds to identify suspicious IP addresses (e.g., anonymization services like Mullvad VPN). 
• Monitor cybercriminal marketplaces where such accounts are offered for sale. 

Additional Resources 

• https://www.darkowl.com/blog-content/actor-spotlight-shinyhunters/  
• https://www.team-cymru.com/team-cymru-insights-threat-feed  
• https://spycloud.com/newsroom/spycloud-unveils-massive-scale-of-identity-exposure-due-to-infostealers/  
• https://corpweb-origin.authentic8.com/sites/default/files/content/PDF_files/authentic8_wp_going_after_criminals.pdf  
• https://www.maltego.com/blog/utilizing-maltego-for-various-dark-web-investigations/  
• https://www.it-isac.org/critical-saas-sig  
• https://www.team-cymru.com/threat-feeds-new  

How SANS FOR589: Cybercrime Investigations Can Help 

Mitigating attacks on SaaS applications requires a regular review of security controls and usage of such platforms. The cybercriminals will continue to use vishing, infostealers, and other TTPs commonly associated with adversaries like SCATTERED SPIDER.  

In our SANS FOR589 class, students will learn how to:  

• Access and monitor cybercriminal forums and marketplaces where stolen data is posted and cybercriminal markets where stolen credentials are offered.  
• Track emerging threats, document TTPs 
• Produce intelligence reports and digital dossiers on cybercriminals 
• Identify opportunities for interdiction against such threats. 

Sign up for a demo or register for FOR589: Cybercrime Investigations today to gain the skills needed to generate actionable intelligence to defend against the some of the most notorious cybercriminals.