OAuth Supply-Chain Security: From the Salesloft/Drift Breach to Zero Trust
Applied research on OAuth supply-chain vulnerabilities, analyzing the UNC6395 campaign that compromised 700+ Salesforce environments via stolen tokens from Salesloft/Drift. Includes GWAPT-aligned penetration testing methodology.
If your vendor's AWS infrastructure were compromised tomorrow, which of your SaaS environments would the attacker inherit access to — without triggering a single alert?
Threat Landscape: UNC6395 & the Identity Supply Chain
The UNC6395 campaign (August 2025) demonstrated a paradigm shift in enterprise attacks: rather than exploiting software vulnerabilities, threat actors compromised Salesloft/Drift AWS infrastructure to harvest valid OAuth tokens for over 700 Salesforce environments. No passwords were stolen. MFA was bypassed by design. Subsequent incidents including Gainsight (November 2025) and the n8n ecosystem attack (January 2026) confirm this is a systemic failure in Non-Human Identity management.
Shadow Trust: Attack Scenarios & Token Persistence
Shadow Trust is the accumulation of delegated permissions via OAuth scopes that persist beyond initial user interaction. Developers often request over-privileged scopes, and refresh tokens with no expiry create indefinite persistence. Attackers who steal these tokens can access environments weeks later without triggering login events or MFA challenges.
GWAPT Penetration Testing Methodology
Our research maps these attacks to MITRE ATT&CK (T1528, T1550) and establishes a GWAPT-aligned penetration testing methodology for auditing the Identity Supply Chain. Lab modules replicate over-privileged OAuth scopes, infinite refresh token persistence, and the "Secondary Heist" pattern where API access yields unstructured secrets enabling lateral movement to cloud infrastructure.
Zero Trust OAuth Remediation Framework
The remediation framework enforces Zero Trust principles: 24-hour refresh token expiry, scope restriction policies blocking the "full" scope at the org level, RFC 7662 token introspection at the gateway, and continuous monitoring of OauthToken events to detect token misuse and attacker cleanup patterns.
Your next move
Run a SOQL enumeration of your OauthToken table to identify every active token with over-privileged scopes, then enforce 24-hour refresh token expiry and IP restrictions on all third-party connected apps.
Tools & code
mcp-sentinel-scanner
Security analysis tool with OAuth supply-chain detection capabilities, SOQL enumeration patterns, and MCP vulnerability scanning.