Threat Spotlight: ShinyHunters Targets Salesforce Amid Clues of Scattered Spider Collaboration

After a period of low profile, ShinyHunters has re-emerged with a broad phishing campaign targeting Salesforce credentials across high-profile organizations in multiple sectors. The campaign uses coordinated ticket-themed phishing domains and Salesforce-focused credential harvesting pages, often paired with vishing tactics to impersonate IT support and convince victims to authorize malicious connected apps. The analysis shows domain registration patterns consistent with those used by Scattered Spider, indicating shared tools, infrastructure, or possibly collaboration. Also significant: domain registrations with impersonation of Okta, SSO, or service-desk branding; targeting appears to be shifting toward financial services and technology firms, though all high-value sectors are at risk.

This campaign displays a discernible shift in ShinyHunters’ behaviour: from its earlier emphasis on large-scale breaches and data leakage toward more targeted social engineering, vishing, and SaaS-platform abuse, particularly via Salesforce and connected apps. The overlap with Scattered Spider’s TTPs and the infrastructure similarities suggest either collaboration or adoption of those methods by ShinyHunters. Also noteworthy is the faster iteration of domain registrations and a more focused targeting of financial service providers, marking a refinement and specialization in campaign structure.