Icarus Threat Actor Expands Klue OAuth Breach with Salesforce Data Theft Attacks

nick

Icarus Threat Actor Expands Klue OAuth Breach with Salesforce Data Theft Attacks

by

What Happened

The Icarus threat actor group has significantly expanded its exploitation of the Klue OAuth token breach, pivoting from initial reconnaissance to full-scale Salesforce data theft operations. The group is compromising OAuth tokens obtained through the Klue breach to gain unauthorized access to victim organizations’ Salesforce environments. The victim list is growing as the threat actor systematically enumerates and exfiltrates data from compromised Salesforce instances.

Security researchers have observed the Icarus group leveraging stolen OAuth tokens to bypass authentication mechanisms, granting them persistent access to cloud-based CRM data including customer records, sales pipelines, and proprietary business intelligence. The attack represents a dangerous escalation of supply chain compromise, where a breach at a third-party platform (Klue) is weaponized to infiltrate entirely separate enterprise systems.

Attack Chain

The Icarus threat actor’s attack chain follows a multi-stage progression:

  1. Initial Access via Klue OAuth Breach: The attacker obtains valid OAuth tokens compromised through the Klue platform breach. Klue, a competitive intelligence platform, integrates with numerous enterprise SaaS applications including Salesforce via OAuth 2.0 authorization grants.
  2. Token Enumeration and Validation: Stolen OAuth tokens are enumerated and validated against connected services to identify high-value targets, with Salesforce integrations being prioritized due to the richness of CRM data.
  3. Salesforce API Pivoting: Valid OAuth tokens are used to authenticate against Salesforce REST and SOAP APIs, granting the attacker the same data access permissions originally granted by the victim organization to the Klue integration.
  4. Data Discovery and Exfiltration: The attacker executes SOQL queries, exports reports, and downloads objects including Accounts, Contacts, Leads, Opportunities, and custom objects. Data is exfiltrated in bulk using standard Salesforce API endpoints to blend in with legitimate traffic.
  5. Persistence and Lateral Movement: In some cases, the attacker creates additional OAuth connected apps or API-only users to maintain persistence even if the original Klue token is revoked. The attacker may also pivot to other connected services using the same identity provider.

Impact

OAuth Token Abuse

The compromise of OAuth tokens represents a critical security failure because these tokens bypass traditional authentication controls. Once an attacker holds a valid OAuth token with appropriate scopes, they can access protected resources without needing usernames, passwords, or multi-factor authentication. The Icarus group is specifically targeting tokens with broad scopes that include api, refresh_token, and offline_access permissions, enabling long-term, persistent access to victim environments.

Organizations that granted Klue extensive OAuth scopes are at highest risk. The token-based nature of the attack means that traditional authentication monitoring — such as failed login alerts — will not detect the intrusion, as the attacker is using valid, legitimate tokens.

Salesforce Data Access

Through Salesforce API access, the attacker can:

  • Export complete customer and prospect databases (Accounts, Contacts, Leads)
  • Access sales pipeline data including Opportunities, Quotes, and Contracts
  • Retrieve proprietary competitive intelligence and pricing data
  • Download files and attachments stored in Salesforce
  • Access custom objects containing business-specific sensitive data
  • Query Chatter feeds and internal communications
  • Extract reports and dashboards revealing business strategy

The growing victim list indicates that the Icarus group is methodically working through the pool of compromised OAuth tokens, prioritizing organizations based on the value and volume of accessible Salesforce data.

Fix

Organizations that have used the Klue platform should take the following immediate remediation steps:

  1. Revoke Suspicious OAuth Tokens: Immediately revoke all OAuth tokens associated with the Klue integration. In Salesforce, navigate to Setup → Manage Connected Apps → OAuth Connected Apps, locate the Klue integration, and revoke all tokens. Also check for any unrecognized connected apps that may have been created by the attacker.
  2. Audit Salesforce API Logs: Review Salesforce API usage logs (Setup → Monitoring → API Usage) for anomalous activity coinciding with the Klue breach timeline. Look for unusual query patterns, bulk data exports, or API calls from unexpected IP addresses. Pay special attention to SOQL queries targeting sensitive objects and report exports.
  3. Review Klue Connections: Audit all integrations and data sharing configurations between Klue and your Salesforce environment. Document the scope of OAuth permissions granted and assess what data was accessible through the compromised integration.
  4. Reset Credentials and Rotate Secrets: Reset all API keys, client secrets, and credentials associated with the Klue integration. Generate new OAuth client credentials and reconfigure the integration with minimal required scopes.
  5. Check for Persistence Mechanisms: Audit all connected apps, named credentials, and API-only users in Salesforce. Remove any unrecognized entries. Review Setup Audit Trail for suspicious administrative changes.

Recommendations

  • Implement OAuth Token Lifecycle Management: Enforce short-lived access tokens and require refresh token rotation. Configure token expiration policies appropriate to the sensitivity of connected data.
  • Apply Principle of Least Privilege to OAuth Scopes: When integrating third-party applications, grant only the minimum OAuth scopes necessary for functionality. Avoid granting broad api or full scopes unless absolutely required.
  • Deploy API Monitoring and Anomaly Detection: Implement real-time monitoring of Salesforce API usage with alerting on unusual patterns such as bulk data exports, high-volume SOQL queries, or API access from new geographic locations.
  • Conduct Third-Party Risk Assessment: Evaluate the security posture of all third-party platforms with OAuth integrations to your critical systems. Understand what data they can access and how they secure authentication tokens.
  • Enable Salesforce Event Monitoring: If licensed, enable Salesforce Event Monitoring to gain visibility into user activity, API usage, and data exfiltration attempts. Configure alerts for suspicious events.
  • Establish an OAuth Token Inventory: Maintain a complete inventory of all OAuth integrations across your SaaS ecosystem, including granted scopes, token expiration dates, and business justification for each integration.
  • Develop an OAuth Incident Response Playbook: Create and test procedures for rapid token revocation, impact assessment, and forensic investigation in the event of a third-party breach affecting your organization.

References: BleepingComputer

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!