The Billion-Dollar Phone Call

Show Notes

Summary:

This episode breaks down the ShinyHunters social engineering campaign that breached Google, Adidas, Louis Vuitton, and more—without malware or exploits. The attackers used voice-based social engineering to trick employees into authorizing a malicious Salesforce app via an 8-digit code, then leveraged cloud integrations to pivot into Microsoft 365 for deeper access.

Defensive Actions:

• Audit Salesforce access — Restrict to employees who absolutely need it.
• Review and limit connected apps — Disable unused integrations and verify all app authorizations.
• Train staff regularly — Teach employees to verify IT requests and recognize social engineering calls.
• Enable MFA everywhere — Apply multi-factor authentication to Salesforce, Microsoft 365, and all connected services.
• Monitor app authorizations — Use Salesforce audit logs and Microsoft 365 Cloud App Security to detect suspicious connections.

Files, Folders, Tools & Configurations:

• In Salesforce: Check Setup > Connected Apps for unknown integrations.
• In Microsoft 365: Review Azure AD Enterprise Applications for suspicious OAuth connections.
• Use CASB (Cloud Access Security Broker) to monitor and block risky cloud app connections.
• Enable logging for Salesforce Data Loader usage and large data export events.

Thanks for spending a few minutes on the CyberBrief Project.

If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.

You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.

And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support

Your support means a lot.

See you in the next one, and thank you for listening.