Skip to content
.ca
sign in
4 minhigh

What You Need To Know About Salesforce AuraInspector Attacks

The threat actor ShinyHunters is leveraging a modified version of the AuraInspector tool to exploit misconfigured Salesforce Experience sites. By targeting overly permissive guest user profiles, attackers can interact with backend Aura endpoints to enumerate and exfiltrate sensitive corporate data without requiring authentication.

Sens:ImmediateConf:highAnalyzed:2026-03-10reports
ActorsShinyHunters
AuraInspectorSalesforceShinyHuntersMisconfigurationData Theft

Source:Varonis

Key Takeaways

  • The threat actor ShinyHunters is using a modified version of the Mandiant open-source tool AuraInspector to steal data from Salesforce instances.
  • The attack exploits misconfigured Salesforce Experience sites that grant overly permissive access to unauthenticated guest users, rather than a software vulnerability.
  • Attackers can interact with backend endpoints, specifically '/s/sfsites/aura', via standard HTTP requests to enumerate and exfiltrate sensitive records.
  • Exposed data can include customer lists, support cases, contacts, users, and employee email addresses.
  • Administrators should immediately review the Guest User Sharing Rule Access Report in Salesforce to identify and remediate unintended data exposure.

Affected Systems

  • Salesforce Experience sites (formerly Salesforce Community)
  • Salesforce Lightning (Aura) framework

Attack Chain

The attack begins with a Salesforce administrator inadvertently misconfiguring a Salesforce Experience site, granting excessive data access permissions to guest users. The threat actor, ShinyHunters, utilizes a modified AuraInspector tool to query the public site. These unauthenticated HTTP requests interact directly with backend endpoints like '/s/sfsites/aura' to enumerate objects and fields. Finally, the Salesforce database processes the guest user queries and returns the sensitive records to the attacker, resulting in data exfiltration.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Varonis

Varonis provides a built-in detection policy named 'Abnormal Behavior: Potential data exfiltration via Salesforce site scan attempt' to identify malicious site probing.

Detection Engineering Assessment

EDR Visibility: None — The attack targets SaaS/Cloud infrastructure (Salesforce) via web requests, which is entirely outside the scope of traditional endpoint EDR telemetry. Network Visibility: Medium — Network logs might capture HTTP requests to the targeted endpoints, but the traffic is encrypted (HTTPS) and blends with legitimate Salesforce usage unless SaaS API monitoring or deep packet inspection is in place. Detection Difficulty: Moderate — Distinguishing malicious guest user queries from legitimate anonymous site traffic requires baseline profiling of expected guest access and monitoring for anomalous enumeration behavior.

Required Log Sources

  • Salesforce Event Monitoring logs
  • Web Proxy/Gateway logs
  • SaaS Application Audit Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Unauthenticated users are making an unusually high volume of requests to the /s/sfsites/aura endpoint to enumerate records.Salesforce Event Monitoring / Web Access LogsCollectionMedium

Control Gaps

  • SaaS Security Posture Management (SSPM)
  • Guest user permission auditing

Key Behavioral Indicators

  • High volume of requests to /s/sfsites/aura from unauthenticated IPs
  • Access to standard/custom objects by guest user profiles that exceed business requirements

False Positive Assessment

  • Medium. Legitimate use of Salesforce Experience sites by guest users may trigger behavioral alerts if thresholds for enumeration or data access are not properly tuned to match normal business operations.

Recommendations

Immediate Mitigation

  • Navigate to Salesforce Setup -> Security -> Guest User Sharing Rule Access Report to review exposed data.
  • Revoke excessive permissions for guest user profiles on Salesforce Experience sites immediately.

Infrastructure Hardening

  • Implement strict least-privilege access controls for all public-facing Salesforce sites.
  • Regularly audit standard and custom objects shared with guest users to prevent unintended exposure.

User Protection

  • N/A

Security Awareness

  • Educate Salesforce administrators on the risks of overly permissive guest user sharing rules and the shared responsibility model in SaaS environments.

MITRE ATT&CK Mapping

  • T1530 - Data from Cloud Storage Object
  • T1087.004 - Account Discovery: Cloud Account
  • T1190 - Exploit Public-Facing Application

Related