When most people think about phishing, they picture a fake login page harvesting credentials. Device code phishing doesn’t work that way. There’s no spoofed domain. No credential harvesting. No malware. The victim authenticates against real Microsoft infrastructure, completes their MFA challenge, and hands an attacker a fully valid Bearer token — all without knowing anything unusual happened. ...
If you haven’t read the threat intelligence breakdown of the ShinyHunters Salesforce campaign, start there. This article assumes you know what happened and focuses on what to do about it. ...
ShinyHunters didn’t hack Salesforce. That distinction matters. Across three separate campaigns spanning mid-2025 through early 2026, the group — tracked by security researchers as UNC6040 and UNC6395 — systematically exploited how organizations configure, connect, and authenticate into Salesforce. The platform’s infrastructure was never the vulnerability. The integrations, the OAuth flows, and the guest user permissions were. ...