Back to Intelligence

Klue OAuth Breach: Detecting Icarus Group Salesforce Token Theft

SA
Security Arsenal Team
June 20, 2026
6 min read

Klue, a market intelligence platform, has confirmed a significant security incident involving the theft of OAuth tokens used to integrate with customer Salesforce environments. The newly emerged "Icarus" extortion group has claimed responsibility for the breach.

For defenders, this is a critical wake-up call regarding the risks of SaaS-to-SaaS integrations. When an OAuth token is compromised—whether via a third-party platform like Klue or direct phishing—it grants the attacker persistent, often privileged, access to your cloud environment without needing the user's credentials or passing MFA prompts again. If your organization uses Klue, you must assume the integration token is currently in the hands of an adversary and act immediately to revoke access and audit your Salesforce instance for data exfiltration.

Technical Analysis

Affected Platforms:

  • Primary: Klue (SaaS Platform)
  • Secondary: Salesforce (Customer Data Environment)

Vulnerability / Attack Mechanism: This incident is not a CVE-based software flaw in the traditional sense, but rather a compromise of the application's security posture allowing for the exfiltration of OAuth refresh_token or access_token strings.

  • The Attack Vector: Threat actors compromised the Klue platform infrastructure or application logic, allowing them to locate and extract OAuth authorization tokens. These tokens are used by Klue to read/write data to the customer's Salesforce CRM (e.g., to push competitive intelligence data).
  • The Impact: With a valid OAuth token, the Icarus group can authenticate to the victim's Salesforce instance as the "Klue Connected App." Depending on the scopes granted during integration (which often include read/write access to Leads, Opportunities, and Accounts), the attackers can perform extensive data theft.
  • Exploitation Status: Confirmed Active. The Icarus group is actively claiming responsibility and victims are reporting unauthorized access.

Detection & Response

Detecting this breach requires a shift in focus from endpoint malware to identity and SaaS usage analytics. Since the attacker holds a valid token, they authenticate legitimately. You must hunt for anomalies in the context of the authentication—specifically, the source of the connection and the volume of data accessed.

SIGMA Rules

These rules focus on detecting the usage of the compromised tokens. If the attackers use the token via a script or tooling rather than a browser, or if they attempt to pivot to a workstation to use the token, these behaviors become visible.

YAML
---
title: Potential Salesforce API Access via Non-Browser Process
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects processes other than web browsers making network connections to Salesforce domains. This may indicate the use of a stolen OAuth token via scripting tools or API clients.
references:
  - https://attack.mitre.org/techniques/T1078/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.valid_accounts
  - attack.t1078.004
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - '.salesforce.com'
      - '.force.com'
      - '.cloudforce.com'
  filter_legit_browsers:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
      - '\brave.exe'
  condition: selection and not filter_legit_browsers
falsepositives:
  - Legitimate Salesforce for Outlook or other approved integrations (e.g., Data Loader)
level: medium
---
title: PowerShell Suspicious Web Request to Salesforce
id: 9c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects PowerShell scripts attempting to connect to Salesforce APIs, which could indicate an attacker using a stolen token for manual data exfiltration or reconnaissance.
references:
  - https://attack.mitre.org/techniques/T1059/001
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - 'salesforce'
      - 'force.com'
      - 'Invoke-RestMethod'
  condition: selection
falsepositives:
  - Administrators running approved management scripts
level: high

KQL (Microsoft Sentinel)

This query hunts for anomalies in Salesforce logs ingested via the Salesforce connector or generic logs. It focuses on the "Klue" Connected App and looks for high-volume data export or access from new IP ranges.

KQL — Microsoft Sentinel / Defender
// Hunt for anomalous usage of the Klue Connected App in Salesforce
let KlueApp = "Klue"; // Verify exact Connected App name in your Salesforce Setup
let HighVolumeThreshold = 1000; // Adjust based on baseline usage
SFDC_EventLog
| where Application == KlueApp
| summarize count() by SourceIpAddress, User, EventType, bin(TimeGenerated, 1h)
| where count_ > HighVolumeThreshold
| extend Tail线索 = "High volume activity from Klue Connected App"
| project-away count_

Velociraptor VQL

This VQL artifact hunts for established network connections to Salesforce infrastructure on endpoints, which can help identify if a compromised token is being utilized from a corporate workstation rather than the expected cloud service IP.

VQL — Velociraptor
-- Hunt for active connections to Salesforce infrastructure
SELECT Fd.Address, Fd.Port, P.Pid, P.Name, P.Cmdline, Fd.State
FROM listen_fds(version=4) AS Fd
JOIN pslist() AS P
WHERE Fd.Address =~ '\.(salesforce|force|cloudforce)\.com'
   OR Fd.Address IN ip_range(start='13.108.0.0', end='13.111.255.255') // Example Salesforce subnet range

Remediation Script (PowerShell)

WARNING: This script uses the Salesforce Developer Tools (sf CLI) to audit sessions. Ensure you have the sf CLI installed and authenticated with a System Administrator account before running. This script helps identify active sessions associated with the Klue integration so they can be revoked.

PowerShell
# requires -Modules @{ModuleName="sf"; ModuleVersion="2.0.0"}
<#
.SYNOPSIS
    Audits and lists active OAuth sessions for the Klue Connected App.
.DESCRIPTION
    This utility retrieves all active sessions for the connected app named 'Klue'.
    It outputs the SessionId and UserType to facilitate manual revocation via the Salesforce UI or API.
#>

$ConnectedAppName = "Klue"

Write-Host "[+] Querying Salesforce for active sessions on Connected App: $ConnectedAppName"

try {
    # Using sf CLI to query OAuthSessions (Requires API access)
    # Adjust the SOQL query based on your specific Salesforce API version and schema
    $sessions = sf data query --query "SELECT Id, UserId, UserType, LastModifiedDate, Application FROM OAuthSession WHERE Application = '$ConnectedAppName'" -- | ConvertFrom-Json
    
    if ($sessions.result.totalSize -gt 0) {
        Write-Host "[!] ALERT: Found $($sessions.result.totalSize) active sessions for $ConnectedAppName."
        $sessions.result.records | Format-Table Id, UserType, LastModifiedDate -AutoSize
        Write-Host "[ACTION REQUIRED]: Please revoke these sessions immediately via Salesforce Setup -> Session Management."
    } else {
        Write-Host "[+] No active sessions found for $ConnectedAppName."
    }
}
catch {
    Write-Error "[-] Error querying Salesforce API. Ensure 'sf' CLI is installed and authenticated."
    Write-Error $_.Exception.Message
}

Remediation

  1. Revoke OAuth Tokens Immediately:

    • Log in to your Salesforce instance as a System Administrator.
    • Navigate to Setup -> App Manager.
    • Locate the Klue Connected App.
    • Click Edit and then select Revoke All OAuth Tokens for this application. This invalidates the stolen keys immediately.

  2. Rotate Client Secrets:

    • If your organization manages the Klue integration configuration, rotate the Client Secret used in the OAuth flow.

  3. Audit Data Access:

    • Review the Salesforce Event Log File for the date range of the breach (specifically looking at EventIdentifier like ExportData, ReportRun, or Login events attributed to the Klue app) to determine what data was accessed or exfiltrated.

  4. Restrict Integration Scope:

    • When re-establishing the connection with Klue, ensure the OAuth scopes requested are minimized (Least Privilege). Does Klue need "Modify All Data" or just "Read" on specific objects?

  5. Vendor Coordination:

    • Follow Klue’s official security advisory for any required patches or configuration changes on their platform before re-enabling the integration.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfiroauth-abusesalesforceklue

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action