Cybersecurity teams at Salesforce have reported a surge in malicious activity targeting publicly accessible Experience Cloud environments. According to the company, attackers are conducting large scale scans of these sites using a modified version of an open source security tool known as AuraInspector.
The campaign primarily focuses on identifying misconfigured guest user permissions, which can expose sensitive data stored within Salesforce environments.
Attackers Exploit Misconfigured Guest User Access
Salesforce explained that the attackers are leveraging an altered version of AuraInspector to scan public facing Experience Cloud portals. These scans specifically target API endpoints exposed by the platform, particularly the following endpoint:
/s/sfsites/aura
The original AuraInspector tool was designed to help security professionals detect misconfigured access controls in Salesforce environments. However, the modified variant used in these attacks is capable of extracting data rather than only identifying potential weaknesses.
By abusing overly permissive guest user settings, attackers can retrieve sensitive information without authentication.
What AuraInspector Is Designed For
AuraInspector is an open source auditing tool released in January 2026 by Mandiant, the cybersecurity company owned by Google.
The tool was originally created to help organizations analyze and verify security configurations within the Salesforce Aura framework, allowing security teams to detect excessive permissions or exposed objects.
While legitimate for defensive security testing, attackers have adapted the tool for malicious scanning campaigns.
Why Guest User Profiles Can Become a Risk
Public Salesforce websites commonly rely on a dedicated guest user profile. This configuration allows unauthenticated visitors to access information such as:
- landing pages
- knowledge base articles
- FAQs
However, if administrators grant too many permissions to the guest profile, it can unintentionally expose internal data.
When this happens, attackers may directly query Salesforce CRM objects without logging into the platform.
Conditions Required for the Attack
Salesforce stated that the attack generally succeeds only if two conditions are present.
- The Experience Cloud environment allows access through a guest user profile.
- Security configuration guidelines recommended by Salesforce have not been properly implemented.
Importantly, Salesforce emphasized that the issue does not stem from a vulnerability in the platform itself but from customer side configuration weaknesses.
Possible Link to ShinyHunters Activity
Although Salesforce did not publicly name the responsible threat actor, the activity pattern resembles operations linked to ShinyHunters, also known as UNC6240.
This group has previously targeted Salesforce environments by abusing integrations with third party applications such as Salesloft and Gainsight.
Security Recommendations from Salesforce
To mitigate the risk of unauthorized access, Salesforce recommends that organizations review and strengthen their Experience Cloud security settings. Key measures include:
- Set Default External Access for all objects to Private
- Disable guest user access to public APIs
- Restrict visibility settings to prevent enumeration of internal users
- Disable self registration features if not required
- Continuously monitor system logs for unusual queries or scanning activity
Identity Based Attacks and Social Engineering Risks
Salesforce also warned that this activity highlights a growing trend in identity focused cyber attacks.
Information collected during scanning operations, such as names and phone numbers, can be used by attackers to conduct targeted social engineering campaigns. These often include voice phishing attacks (vishing) designed to trick victims into revealing credentials or sensitive information.
Update
According to screenshots shared by Dark Web Informer on X, ShinyHunters has claimed to have breached “several hundred” companies as part of the Salesforce Aura Campaign.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
