OAuth tokens are now central to enterprise workflows, enabling seamless and secure integrations across platforms like Salesforce, Google Workspace, and marketing automation systems. However, this convenience has introduced a new attack surface that adversaries are actively exploiting. High-profile incidents — including the Salesforce campaigns attributed to UNC6040 and UNC6395 — demonstrate that OAuth token abuse is no longer a theoretical risk.
It is a proven method for large-scale data theft, credential harvesting, and extortion. This white paper provides CISOs with a detailed exploration of OAuth token vulnerabilities, their exploitation in real-world breaches, and a comprehensive playbook for mitigation. Drawing from recent campaigns and case studies, the guide highlights both the technical and organizational dimensions of defending against token-based threats.
This white paper is provided by Health-ISAC Pathfinder, Ridge Security, part of the Community Services Program
