Back to Intelligence

Supply Chain Attack: Detecting Klue OAuth Token Abuse and Salesforce Compromise

SA
Security Arsenal Team
June 23, 2026
6 min read

A significant supply chain attack has surfaced involving Klue, a business intelligence platform, which was breached to leverage OAuth tokens within Salesforce environments. At least four cybersecurity firms have confirmed compromise. Attackers abused the trusted Klue-Salesforce integration to bypass traditional perimeter defenses, accessing sensitive competitive intelligence and customer data via valid OAuth tokens.

For defenders, this highlights the critical risk of "SaaS-to-SaaS" supply chains. When you authorize a third-party application like Klue, you grant it a set of OAuth permissions (scopes). If that vendor is compromised, those tokens become a skeleton key for your environment. This is not a vulnerability in a binary to be patched; it is a failure of trust architecture. Immediate audit of OAuth grants and anomalous SaaS access is required.

Technical Analysis

Affected Products:

  • Salesforce: Used as the primary identity and data repository.
  • Klue: The compromised third-party integration connecting to Salesforce.

Attack Mechanics:

  • Vector: Initial access was gained through the compromise of Klue’s infrastructure.
  • Mechanism: The attackers exfiltrated OAuth refresh tokens or session tokens that Klue used to interface with client Salesforce instances.
  • Exploitation: Using these stolen tokens, attackers authenticated to the victims' Salesforce organizations as the "Klue" Connected App. Since the tokens were valid and issued by the Identity Provider (IdP), standard MFA prompts were bypassed.
  • Impact: Unauthorized access to CRM data, potential pivot to other integrated SaaS platforms, and data exfiltration.

Exploitation Status:

  • Confirmed Active Exploitation: Multiple cybersecurity firms have reported intrusions linked to this specific supply chain event.
  • CVE: None. This is an abuse of authentication flows (OAuth), not a software vulnerability requiring a CVE patch.

Detection & Response

Detecting this attack requires shifting focus from endpoint malware to Identity and SaaS logs. You are looking for the legitimate "Klue" application performing actions that are contextually anomalous (e.g., new IP geography, mass data export, unusual login times).

━━━ SIGMA RULES ━━━

YAML
---
title: Potential OAuth Token Abuse - Klue Connected App Anomalous Access
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects access to Salesforce via the Klue Connected App from an IP address not previously associated with the application or user, indicating potential token theft.
references:
  - https://attack.mitre.org/techniques/T1528/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1528
logsource:
  product: azure
  service: signins
detection:
  selection:
    AppDisplayName|contains: 'Klue'
    Status: 'Success'
  filter_legit_location:
    IPAddress|cidr:
      - '10.0.0.0/8'
      - '192.168.0.0/16'
      - '172.16.0.0/12'
  condition: selection and not filter_legit_location
falsepositives:
  - Legitimate remote usage by Klue support or admins from new locations
level: high
---
title: High Volume Data Export via SaaS Integration
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects sudden high volume of record queries or exports from a third-party SaaS integration (like Klue) within Salesforce.
references:
  - https://attack.mitre.org/techniques/T1530/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.exfiltration
  - attack.t1530
logsource:
  product: cloud
  service: salesforce
detection:
  selection:
    EventName|contains:
      - 'Export'
      - 'Query'
      - 'ApiAnonymousIntegration'
    Application|contains: 'Klue'
  timeframe: 10m
  condition: selection | count() > 50
falsepositives:
  - Scheduled reporting or bulk data sync operations
level: medium


━━━ KQL (MICROSOFT SENTINEL) ━━━
KQL — Microsoft Sentinel / Defender
// Hunt for successful sign-ins by the Klue application from unusual IPs or UserAgents
SigninLogs
| where AppDisplayName contains "Klue"
| where ResultType == 0
| extend IsNewIP = iff(IPAddress in (SigninLogs
    | where AppDisplayName contains "Klue"
    | where TimeGenerated between(now(-30d)..now())
    | distinct IPAddress), false, true)
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Location, DeviceDetail, IsNewIP
| where IsNewIP == true
| order by TimeGenerated desc

// Correlate with potential data exfiltration in Salesforce (via Syslog/CEF)
Syslog
| where Facility == "Salesforce"
| where Message contains "Klue" and (Message contains "Export" or Message contains "download")
| parse Message with * "User: " User " " * "Action: " Action " " *
| summarize count() by User, Action, bin(TimeGenerated, 5m)
| where count_ > 20


━━━ VELOCIRAPTOR VQL ━━━
VQL — Velociraptor
// Hunt for local CLI tools or browser artifacts that might be interacting
// with Salesforce or Klue APIs, indicating a local compromise or admin activity.
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ 'sf.exe' 
   OR Name =~ 'sfdx.exe'
   OR CommandLine =~ 'salesforce'
   OR CommandLine =~ 'klue'

// Check for suspicious browser extensions related to Klue/Salesforce
SELECT FullPath, Name, Version
FROM glob(globs='/*/Extensions/*/*/manifest.')
WHERE read_file(filename=FullPath) =~ 'klue'


━━━ REMEDIATION SCRIPT (POWERSHELL) ━━━
PowerShell
# Requires Microsoft Graph PowerShell SDK
# Connect-MgGraph -Scopes "Application.Read.All", "AppRoleAssignment.ReadWrite.All", "Directory.ReadWrite.All"

Write-Host "[+] Auditing OAuth Grants for Klue/Salesforce Integrations..." -ForegroundColor Cyan

# Get Service Principals that might be related to the threat
$Apps = Get-MgServicePrincipal -Filter "DisplayName eq 'Klue' or DisplayName eq 'Salesforce'"

foreach ($App in $Apps) {
    Write-Host "[!] Checking grants for: $($App.DisplayName)" -ForegroundColor Yellow
    
    # Retrieve OAuth2PermissionGrants (Delegated permissions)
    $Grants = Get-MgOauth2PermissionGrant -Filter "ClientId eq '$($App.Id)'"
    
    if ($Grants) {
        Write-Host "    Found $($Grants.Count) active OAuth grants." -ForegroundColor Red
        foreach ($Grant in $Grants) {
            $ConsentType = $Grant.ConsentType
            $PrincipalId = $Grant.PrincipalId
            Write-Host "    - Grant Type: $ConsentType | Scope: $($Grant.Scope)"
            
            # WARNING: Uncomment the line below to REVOKe the grant immediately
            # Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $Grant.Id
        }
    } else {
        Write-Host "    No active delegated grants found." -ForegroundColor Green
    }

    # Retrieve AppRoleAssignments (Application permissions)
    $AppRoles = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $App.Id
    if ($AppRoles) {
        Write-Host "    Found $($AppRoles.Count) Application Role Assignments." -ForegroundColor Red
    }
}

Write-Host "[+] Audit complete. Review results. If compromise is confirmed, rotate Client Secrets and revoke Sessions in Salesforce Setup." -ForegroundColor Cyan

Remediation

Immediate containment is required to stop the exfiltration of data using the stolen tokens.

  1. Revoke OAuth Tokens:

    • In Salesforce Setup: Navigate to App Manager. Locate the "Klue" Connected App. Click View and disconnect all active sessions.
    • Rotate Keys: If Klue installed via a JWT or Client Credentials flow, rotate the Client Secret immediately in the Salesforce Connected App settings.

  2. Restrict Connected App Scope:

    • Audit the specific OAuth scopes (permissions) granted to Klue. Reduce them to the absolute minimum required for business operations (e.g., remove "Modify All Data" if only "Read" is needed).

  3. **IP Restrictions (Salesforce):

    • Navigate to Network Access in Salesforce Setup. Restrict the Klue integration's Trusted IP Range to only the known egress IP addresses of Klue’s infrastructure. This invalidates the stolen tokens if used from attacker IPs.

  4. User Session Revocation:

    • If the integration utilized delegated permissions (user context), force-reset passwords and terminate all sessions for users who had authorized the Klue app.

  5. Vendor Coordination:

    • Contact Klue security support to verify the scope of their breach and obtain their new, legitimate egress IP ranges for whitelisting post-remediation.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfiroauthsalesforcesupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action