Back to Intelligence

ShinyHunters Breaches: Identity and SaaS Security Hardening Guide

SA
Security Arsenal Team
June 22, 2026
6 min read

The recent wave of ShinyHunters breaches has sent a clear message to the cybersecurity community: the days of relying solely on vulnerability management to stop data theft are over. These threat actors are orchestrating massive data exfiltration campaigns without deploying a single line of malicious code or exploiting a zero-day vulnerability. Instead, they are leveraging valid credentials and misconfigured SaaS platforms. For defenders, this shifts the battlefield from patch management to identity hygiene and data access governance.

Introduction

SecurityWeek's analysis of the latest ShinyHunters activity confirms a disturbing trend: modern attackers are bypassing traditional perimeter defenses by abusing legitimate access. By utilizing credentials obtained via initial access brokers or infostealers, ShinyHunters logs into corporate SaaS environments (such as Snowflake, Salesforce, or cloud storage buckets) with the same privileges as a legitimate administrator. The result is catastrophic data loss that triggers zero malware alerts and evades standard EDR solutions. Defenders must accept that identity is the new perimeter, and valid credentials are now the most dangerous exploit kit.

Technical Analysis

Threat Actor: ShinyHunters Attack Vector: Credential Abuse, SaaS Misconfiguration, and Session Hijacking. Primary Target: Cloud databases, Data Warehouses (e.g., Snowflake), and SaaS CRM platforms. CVE Status: N/A (This campaign relies on valid credentials and identity federation flaws, not software exploits).

The Attack Chain

  1. Initial Access: ShinyHunters typically purchases valid credentials from infostealer logs (e.g., RedLine, Vidar) or leverages previously leaked session cookies. In many recent cases, credentials were harvested from corporate devices infected with information-stealing malware months prior to the breach.
  2. Authentication: The attacker authenticates to the target SaaS platform using the legitimate web interface or API keys. Because the credentials are valid, MFA may be bypassed if it is not enforced or if session cookies are used.
  3. Discovery & Data Aggregation: Once inside, the actor enumerates accessible databases and storage buckets. They do not exploit software vulnerabilities; they abuse the level of access assigned to the compromised account. In many instances, service accounts with excessive privileges were the entry point.
  4. Exfiltration: Data is extracted using standard API calls (e.g., SELECT * statements in SQL interfaces) or legitimate bulk export features. This traffic appears as normal business operations, making DLP detection difficult.

Exploitation Status: Confirmed Active Exploitation. ShinyHunters is currently actively scraping data from exposed environments.

Detection & Response

Detecting these attacks requires a shift from looking for "malicious" files to looking for "anomalous but authorized" behavior. Defenders must hunt for impossible travel, massive data volumes accessed via API, and the use of administrative tools from unusual endpoints.

SIGMA Rules

YAML
---
title: Potential ShinyHunters Data Exfil via Cloud Storage API
id: 9a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential massive data exfiltration from cloud storage (AWS S3/Azure Blob) by a single user identity, indicative of bulk scraping activity seen in ShinyHunters campaigns.
references:
  - https://attack.mitre.org/techniques/T1530/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.exfiltration
  - attack.t1530
logsource:
  product: aws
  service: cloudtrail
detection:
  selection:
    eventName|contains:
      - 'GetObject'
    eventSource:
      - 's3.amazonaws.com'
  filter:
    userIdentity.type:
      - 'IAMUser'
      - 'AssumedRole'
  condition: selection | count(userIdentity.principalId) by src_ip > 1000
  timeframe: 5m
falsepositives:
  - Legitimate large data backups or migrations
level: high
---
title: SaaS Admin Console Login from New Device
id: 0e9f8a7b-6c5d-4e3f-2a1b-0c9d8e7f6a5b
status: experimental
description: Detects successful logins to sensitive SaaS admin consoles (Okta, Entra ID) from a device ID not seen in the last 30 days, indicative of credential stuffing or session hijacking.
references:
  - https://attack.mitre.org/techniques/T1078/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1078.004
logsource:
  product: azure
  service: signinlogs
detection:
  selection:
    AppDisplayName|contains:
      - 'Okta'
      - 'Azure Portal'
      - 'Microsoft Admin Portal'
    ResultType: 0
  filter_old_device:
    DeviceDetail.deviceId|contains: 
      - 'known_device_id_list_placeholder' # Logic: deviceId not in lookup of last 30 days
  condition: selection and not filter_old_device
falsepositives:
  - Admins replacing corporate laptops or using new personal devices for approval
level: medium

KQL (Microsoft Sentinel)

This query hunts for "Impossible Travel" scenarios and high-volume data access associated with ShinyHunters scraping.

KQL — Microsoft Sentinel / Defender
// Hunt for high-volume API calls to Snowflake or SaaS platforms potentially indicating exfiltration
let HighVolumeThreshold = 1000;
let SaaSApps = dynamic(["Snowflake", "Salesforce", "ServiceNow", "AWS"]);
SigninLogs
| where AppDisplayName in SaaSApps
| where ResultType == 0
| summarize Count = count(), IPs = make_set(IPAddress), Locations = make_set(Location) by UserPrincipalName, AppDisplayName, bin(TimeGenerated, 5m)
| where Count > HighVolumeThreshold
| project UserPrincipalName, AppDisplayName, Count, IPs, Locations, TimeGenerated
| order by Count desc

Velociraptor VQL

This artifact hunts for the presence of cloud management CLI tools (AWS CLI, Azure CLI) on endpoints where they should not typically run, or evidence of their execution history, which attackers often use for faster data scraping.

VQL — Velociraptor
-- Hunt for execution of cloud CLI tools used for data scraping
SELECT Process.Name, Process.CommandLine, Process.Pid, Process.Username, Process.Exe
FROM pslist()
WHERE Name =~ 'aws.exe'
   OR Name =~ 'az.cmd'
   OR Name =~ 'sf.exe'
   OR CommandLine =~ 's3 cp'
   OR CommandLine =~ 'snowsql'

Remediation Script (PowerShell)

This script helps audit Azure AD for users without MFA or with legacy authentication enabled, a common vector for ShinyHunters.

PowerShell
# Audit Azure AD for users lacking Strong Authentication Methods (MFA)
# Requires MS Graph PowerShell Module: Install-Module Microsoft.Graph

Connect-MgGraph -Scopes "User.Read.All", "Policy.Read.All"

$Users = Get-MgUser -All -Property Id, DisplayName, UserPrincipalName, StrongAuthenticationDetail

Write-Host "Auditing users for MFA requirements..." -ForegroundColor Cyan

foreach ($User in $Users) {
    $MFAMethods = $User.StrongAuthenticationDetail
    # Check if user has any registered methods (Per-user MFA) or via Security Defaults (complex logic, simplified here)
    if (-not $MFAMethods) {
        Write-Host "[ALERT] User: $($User.UserPrincipalName) has NO MFA methods registered." -ForegroundColor Red
    } else {
        Write-Host "[OK] User: $($User.UserPrincipalName) has MFA." -ForegroundColor Green
    }
}

Write-Host "Audit complete. Review users marked ALERT." -ForegroundColor Cyan

Remediation

To neutralize the threat posed by ShinyHunters and similar identity-focused actors, organizations must implement the following controls immediately:

  1. Enforce Phishing-Resistant MFA: Disable SMS and voice call-based MFA. Implement FIDO2/WebAuthn or Certificate-Based Authentication. Attackers easily bypass SMS 2FA via SIM swapping or social engineering.

  2. Implement Just-In-Time (JIT) Access: Remove standing admin privileges for cloud and SaaS environments. Use Privileged Identity Management (PIM) or similar tools to require elevation requests only when necessary.

  3. Revoke and Rotate Service Account Keys: Treat service account keys (API keys, access tokens) as high-value targets. Audit all service accounts in AWS, Azure, and SaaS platforms. Rotate keys immediately if any compromise is suspected.

  4. Disable Legacy Authentication Protocols: Ensure legacy protocols (IMAP, POP3, SMTP Auth) which often do not support MFA are disabled for all users unless strictly business critical.

  5. Geo-Blocking and Conditional Access: Configure Conditional Access policies to block sign-ins from countries where your organization has no operations. Require compliant device status for admin access.

  6. Session Monitoring: Deploy tools that monitor session duration and concurrent sessions. ShinyHunters often maintains persistence by keeping sessions alive for weeks.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirshinyhuntersidentity-securitysaas-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action