Back to Intelligence

Icarus Threat Actor: Detecting Klue OAuth Breach and Salesforce Data Exfiltration

SA
Security Arsenal Team
June 19, 2026
6 min read

Security Arsenal is actively tracking an ongoing extortion campaign attributed to the 'Icarus' threat actor, which targets organizations relying on the Klue market intelligence platform. A confirmed breach of Klue's OAuth implementation has provided attackers with privileged access to connected Salesforce CRM environments.

This is not a theoretical risk; active data theft is occurring. Because the abuse occurs via a legitimate, trusted OAuth connection, traditional perimeter defenses (firewalls, WAFs) are effectively blind. Defenders must treat this as a compromised identity incident, pivoting immediately to SaaS audit logs and OAuth token management to contain the exposure.

Technical Analysis

Affected Platforms: Salesforce CRM (Production and Sandbox environments utilizing the Klue Connected App).

Vulnerability/Weakness: Compromised OAuth Refresh Token / Client Secret.

While no specific CVE is assigned to this incident (it is a breach of protocol implementation rather than a software flaw in Salesforce or Klue code), the attack vector relies on the abuse of the OAuth 2.0 Authorization Code flow. The 'Icarus' actors obtained valid OAuth tokens (likely refresh tokens) associated with the Klue-Salesforce integration. This allows them to authenticate silently as the Klue application, bypassing MFA requirements typically enforced on human users.

Attack Chain:

  1. Initial Access: Threat actors leverage the compromised Klue OAuth token to authenticate to the Salesforce API.
  2. Discovery: The actor queries the Salesforce DescribeGlobal and DescribeSObject APIs to map the target organization's data schema.
  3. Collection: Large-scale SOQL (Salesforce Object Query Language) queries are executed, specifically targeting high-value objects such as Opportunity, Account, Contact, and Lead.
  4. Exfiltration: Data is pulled via API responses, likely to an infrastructure controlled by 'Icarus'.
  5. Extortion: Victims are contacted with proof of data theft to facilitate extortion.

Exploitation Status: Confirmed Active. Multiple organizations report receiving extortion threats containing samples of their proprietary CRM data.

Detection & Response

Defenders must hunt for anomalies within Salesforce Event Monitoring logs and Cloud Access Security Broker (CASB) telemetry. The key indicators are unusually high data export volumes or querying activity attributed specifically to the 'Klue' Connected App user context.

Sigma Rules

The following rules target anomalous API usage patterns associated with the OAuth breach context. Note that these assume ingestion of Salesforce Event Logs or equivalent Cloud App Security logs.

YAML
---
title: High Volume Salesforce API Access by Klue Connected App
id: 8a2b3c4d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
status: experimental
description: Detects unusually high API usage from the Klue integration, indicative of bulk data exfiltration by the Icarus threat actor.
references:
  - https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  product: cloud
  service: salesforce
detection:
  selection:
    Application|contains: 'Klue'
    EventType|contains: 'Api'
  condition: selection | count() > 1000
  timeframe: 1h
falsepositives:
  - Legitimate bulk reporting or synchronization tasks during scheduled maintenance windows
level: high
---
title: Salesforce Data Export via Klue Integration
id: 9b3c4d5e-2f3g-4b5c-6d7e-8f9a0b1c2d3e
status: experimental
description: Detects attempts to export or query all data in Salesforce objects using the Klue OAuth context.
references:
  - https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1005
logsource:
  product: cloud
  service: salesforce
detection:
  selection:
    Application|contains: 'Klue'
    EventDataType: 'Export'
  filter:
    UserId|contains: 'system' # Filter out automated system exports if necessary
  condition: selection and not filter
falsepositives:
  - Authorized administrative backups or data migrations performed by Klue support
level: critical

KQL (Microsoft Sentinel)

This query hunts for bulk data exfiltration patterns in Salesforce logs, specifically filtering for the Klue application context and SOQL query operations.

KQL — Microsoft Sentinel / Defender
SalesforceAuditLogs
| where ApplicationDisplayName contains "Klue"
| where Operation == "Query" or Operation == "Export" or Operation == "Retrieve"
| project TimeGenerated, User, ApplicationDisplayName, Operation, SourceIpAddress, RequestId
| summarize Count = count(), distinctIps = dcount(SourceIpAddress) by bin(TimeGenerated, 1h), User, Operation
| where Count > 50 // Threshold depends on org size, tune appropriately
| order by Count desc

Velociraptor VQL

This artifact hunts for endpoint processes that may be interacting with Salesforce APIs. If the OAuth token was stolen and is being used from a compromised internal host (e.g., via a script), this VQL will identify suspicious automation tools (Python, curl) connecting to Salesforce domains.

VQL — Velociraptor
-- Hunt for processes connecting to Salesforce domains
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name IN ('python.exe', 'python3.exe', 'curl.exe', 'powershell.exe', 'pwsh.exe')
  AND (
    CommandLine =~ 'salesforce' 
    OR CommandLine =~ 'force.com' 
    OR CommandLine =~ 'my.salesforce'
  )

Remediation Script (PowerShell)

While the primary fix requires revoking the OAuth token in the Salesforce Admin Console, this script assists in identifying internal hosts that may be actively connected to Salesforce infrastructure, aiding in scope containment.

PowerShell
# Check for active TCP connections to Salesforce IP ranges on the local host
# Note: This helps identify endpoints currently syncing data, which may need immediate isolation.

Get-NetTCPConnection -State Established | 
Where-Object { 
    $_.RemoteAddress -match '^13\.110\.' -or 
    $_.RemoteAddress -match '^96\.43\.' -or 
    $_.RemoteAddress -match '^204\.14\.' 
} | 
Select-Object @{Name='ProcessName';Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}, 
              @{Name='PID';Expression={$_.OwningProcess}}, 
              LocalAddress, LocalPort, RemoteAddress, RemotePort, State | 
Format-Table -AutoSize

Remediation

  1. Immediate Token Revocation:

    • Log in to your Salesforce Setup interface.
    • Navigate to App Manager.
    • Locate the 'Klue' Connected App.
    • Revoke all active OAuth sessions for this application immediately. Do not merely disconnect users; you must invalidate the refresh tokens held by the attacker.
  2. Rotate Client Secrets:

    • If your Klue integration utilizes a Client ID/Secret flow (JWT bearer flow, etc.), rotate the Client Secret in the Klue application configuration immediately.
  3. Audit User Access:

    • Review the 'Login History' in Salesforce for any logins attributed to the Klue integration user or application from geolocations inconsistent with Klue's hosting infrastructure.
  4. Contact Vendor:

    • Engage Klue support to confirm the scope of their breach and obtain a timeline of the compromise. Verify if the vendor has rotated their own signing keys.
  5. Data Assessment:

    • Work with your legal and compliance teams to assess the sensitivity of the data accessible to the Klue integration. Assume that data within the scope of the integration's permissions has been exfiltrated.
  6. Least Privilege Review:

    • Reduce the API access scopes (OAuth Scopes) granted to the Klue application. If it only needs to read 'Competitor' data, ensure it does not have 'Full Access' to 'Opportunity' objects.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionoauth-breachsalesforceklue

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.