Weaponized AuraInspector: How Threat Actors Are Mass-Scanning Salesforce Experience Cloud

When Mandiant published AuraInspector in January 2026, the intent was straightforward: give Salesforce administrators a command-line tool to audit their own Experience Cloud environments before attackers could exploit them. The release was accompanied by a detailed technical writeup documenting the exact misconfigurations that had been showing up in real-world engagements. Within weeks, a known threat actor group had stripped the tool for parts, extended its capabilities, and pointed it at the internet at scale.

That is exactly what has happened here. Salesforce issued a public advisory on March 7, 2026, confirming that its Cyber Security Operations Center had been tracking a campaign in which malicious actors were exploiting overly permissive Experience Cloud guest user configurations to extract data those organizations never intended to make public. The company was careful to frame the issue as a configuration problem, not a platform vulnerability. That distinction matters legally and reputationally for Salesforce, but for the hundreds of organizations now on the receiving end of extortion demands, it offers little practical comfort.

Salesforce Experience Cloud is a platform that lets organizations build customer portals, partner portals, and public-facing websites that pull data directly from their Salesforce CRM instance. It is the mechanism through which a company might let customers check order status, reset a password, or browse a knowledge base without logging in. The Aura framework underpins the modern Lightning Experience UI that powers these sites, handling the component-based rendering and the API layer that sits between the browser and Salesforce data.

Every publicly accessible Experience Cloud site is assigned a guest user profile. This profile defines what an anonymous, unauthenticated visitor is allowed to see and do. When configured correctly, a guest can view public-facing pages and nothing else. When configured too broadly — which Mandiant's research found to be a widespread condition — a guest user profile can carry permissions that allow direct, unauthenticated querying of Salesforce CRM objects such as Accounts, Contacts, and Leads.

AuraInspector, in its legitimate form, is a command-line tool designed to simulate an unauthenticated visitor and automatically probe the API endpoints that Experience Cloud sites expose. Specifically, it targets the /s/sfsites/aura endpoint, which Aura-based sites use to handle data requests. The tool identifies which objects are accessible to guest users and flags configurations where sensitive records could be retrieved without authentication. Mandiant released it with the explicit goal of making the audit process accessible to administrators who might otherwise lack the technical knowledge to probe these surfaces manually.

According to Mandiant's January 2026 Google Cloud Blog post, AuraInspector was built to give defenders and administrators a way to identify access control misconfigurations and potential data exposures in the Salesforce Aura framework from an external, unauthenticated perspective — precisely the vantage point an attacker would use. — Mandiant / Google Cloud Blog, January 2026

The tool's value as a defensive instrument is real. The problem is that a tool that can automatically discover and enumerate exposed data objects is, structurally, also an offensive reconnaissance tool. The only meaningful difference between using it to find your own exposure and using it against someone else's site is authorization. OSS dual-use

The modified version of AuraInspector used in this campaign goes beyond the original tool's scope in one critical way: it does not stop at identification. Where the legitimate tool flags a misconfigured object and generates a report, the weaponized variant goes on to extract the data from that object. Salesforce's official advisory confirmed the actor's custom version went beyond flagging misconfigurations and proceeded to actively pull the underlying records, exploiting overly permissive guest user settings at scale. Reporting from TechRadar and CyberInsider suggests the scanning and extraction phases may have used distinct tooling — with the modified AuraInspector primarily serving the reconnaissance and identification function, and a separate unnamed custom tool handling the record extraction itself. Salesforce's advisory does not distinguish between the two phases at that level of detail, but the distinction matters for detection: organizations looking for AuraInspector-like traffic patterns in their logs may still have experienced data extraction that left a different signature. At Scale

The scanning traffic was deliberately camouflaged using a standard browser user agent string — Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 — to blend in with ordinary web traffic in event logs. Once inside a misconfigured environment, the data accessible to an unauthenticated attacker could include Contact records with full names and phone numbers, Account records with organizational relationships, Leads with sales pipeline context, and potentially any CRM object to which the guest profile had been granted visibility. AppOmni security researchers noted that the same guest user misconfiguration that exposes names and phone numbers can also be exploited to self-register a portal account, escalating a guest-tier exposure into an authenticated session with access to a far broader set of data.

Salesforce's advisory referred to the activity as coming from "a known threat actor group" without naming the party. Security researchers and press reporting quickly identified the likely actor as ShinyHunters, tracked by Google's Threat Intelligence Group as UNC6240. The group posted a listing on its data leak site titled "Salesforce Aura Campaign," warning that "several hundred companies" would face public data exposure if extortion demands were not met.

ShinyHunters warned affected organizations on their dark web listing that a final warning and complete data release would follow if no response was received — framing the message as a preliminary notice before escalation. — ShinyHunters, via their dark web data leak site, March 2026

ShinyHunters told BleepingComputer that the campaign began in September 2025, well before Mandiant released AuraInspector as a defensive tool. In those early months, the group was identifying Aura instances manually and working within the 2,000-record query constraint. When Mandiant published AuraInspector in January 2026 as an administrator-facing diagnostic utility, ShinyHunters says it modified the code to add mass-scanning capabilities and automated extraction. The group confirmed to BleepingComputer that the attacks used the spoofed browser user agent to evade log-based detection.

The scale of claimed impact is notable. ShinyHunters told BleepingComputer that the total number of compromised organizations sits between 300 and 400, with roughly 100 described as high-profile companies, a significant proportion of them in the cybersecurity industry. Among the companies cited by the group in separate communications were Snowflake, LastPass, Okta, AMD, Sony, and Salesforce itself. The group has a documented history of large-scale data theft and extortion, including a 2024 campaign targeting Snowflake customer databases that affected more than 160 organizations.

Charles Carmakal, Chief Technology Officer at Mandiant, confirmed the firm's awareness of the misuse of its tool, providing a statement to multiple outlets:

“Scanning activity alone does not confirm compromise.” — Charles Carmakal, CTO, Mandiant

Carmakal added a qualifier that organizations reviewing their own logs should keep in mind: detecting AuraInspector scanning activity does not, by itself, confirm that data was successfully extracted. Scanning and extraction are distinct phases. An organization whose logs show Aura endpoint probing may have been scanned without being compromised, depending on whether the guest user profile at the time of the scan actually carried excessive permissions. That distinction matters for incident response prioritization.

Of the high-profile organizations publicly cited by ShinyHunters — Snowflake, LastPass, Okta, AMD, Sony, and Salesforce itself — only LastPass issued any public acknowledgment in the immediate aftermath.

This is not ShinyHunters' first engagement with Salesforce environments. Google's Threat Intelligence Group has documented prior campaigns in which the group, operating as UNC6240, targeted Salesforce data through third-party SaaS integrations. In separate earlier operations, the group abused compromised OAuth access tokens from Salesloft/Drift integrations, and separately, compromised Gainsight connected app access in a campaign reported in November 2025. In those earlier operations, the group relied heavily on vishing to harvest Okta SSO credentials and MFA codes before pivoting to connected applications. Credential-free The current campaign represents a tactical shift: no credentials are required at all if the target's guest user profile is permissive enough.

Denis Calderone, CTO and Principal at Suzu Labs, described the progression clearly: "Last time, the attackers vished their way into Okta SSO credentials and exploited third-party integrations like Gainsight. Since then, they've gone even more direct, using a weaponized version of the Mandiant-developed Aura Inspector tool to mass-scan Experience Cloud sites for misconfigured guest user permissions. They don't even need credentials for this one."

What makes this campaign particularly concerning is not just the data harvested in the initial scan — it is what that data enables next. Salesforce's own advisory flagged this escalation path explicitly, noting that names and phone numbers harvested in these scans are regularly repurposed to build targeted voice phishing campaigns against the same organizations. Kill chain

The logic of the kill chain is straightforward. A misconfigured Experience Cloud portal might expose Contact records for every customer or partner an organization manages. An attacker who extracts that data now has a verified directory of real names, phone numbers, and organizational relationships — information that would otherwise require significant social engineering effort to compile. That directory becomes the raw material for voice phishing calls that carry an unusual degree of credibility: the caller already knows who you work with, what your title is, and potentially what products or services your company uses.

AppOmni researchers documented this connection directly, noting that coordinated campaigns routinely follow this sequence: harvest CRM data, use it to make vishing calls credible, then escalate into full SaaS compromise. In their assessment, a guest user misconfiguration that exposes names and phone numbers can serve as the opening link in a kill chain that ends with a serious data breach. (AppOmni, March 2026)

In previous ShinyHunters ecosystem operations, as documented by Mandiant's Google Threat Intelligence Group in a January 2026 report, the cluster tracked as UNC6661 deployed impersonators posing as IT staff, directing victims to enter SSO credentials and MFA codes on attacker-controlled credential harvesting sites. UNC6240 (ShinyHunters) then conducted the extortion phase — sending ransom demands via ShinyHunters-branded email, specifying a Bitcoin payment address and a 72-hour deadline, with proof of data theft provided via samples hosted on Limewire. Victims who did not respond faced additional pressure: SMS messages sent to individual employees, and in some cases, distributed denial-of-service attacks against company websites.

The current AuraInspector campaign represents the reconnaissance phase that feeds into that extortion pipeline. Organizations that appear in ShinyHunters' "Salesforce Aura Campaign" listing may not yet realize that the first step in the attack against them happened months ago, when their publicly accessible Experience Cloud portal quietly handed over its Contact directory to an automated scanning tool.

Salesforce's advisory is unambiguous: the issue lies with customer-configured settings, and remediation is the customer's responsibility. The platform itself has not been compromised. That framing is accurate but should not be read as reassuring. Misconfigured guest user profiles are common precisely because the Experience Cloud setup process involves many permission layers, and organizations frequently prioritize getting a portal working over auditing every access control setting in detail.

The highest-impact single action, according to Salesforce, is removing the API Enabled permission from the guest user profile. This closes the Aura endpoint to unauthenticated API queries entirely, which is the exact vector used in this campaign. For organizations whose Experience Cloud portals require guest users to have some API access, the full remediation set requires more nuanced review.

Louis Eichenbaum, Federal CTO at ColorTokens, placed the incident in a broader SaaS security context, arguing that organizations must treat SaaS platforms as part of their full security architecture and apply zero-trust principles, phishing-resistant identity controls, and continuous configuration monitoring to prevent data exposure — and that access of this kind should be locked down by default and opened only when there is a specific operational need. (ColorTokens, March 2026)

The broader implication is that configuration drift is the attack surface. Salesforce provides the tools to configure these permissions correctly. The challenge is that Experience Cloud environments evolve over time — new portals are stood up, new objects are created, permissions get adjusted by different administrators across different projects — and periodic security reviews often lag behind the operational pace of change. This campaign is a measurable consequence of that gap.

1. Defensive tools can be weaponized quickly. Mandiant released AuraInspector in January 2026 to help administrators audit their own environments. Within weeks, a threat actor group had extended it into a mass-scanning and data extraction tool. The release of any public-facing security research tool that maps an attack surface will be evaluated by adversaries for offensive utility. Organizations should treat a tool's release as a prompt to audit their own exposure, not a reason to wait. OSS dual-use
2. No credentials required does not mean low risk. This campaign required no phishing, no stolen passwords, and no social engineering for initial access. A misconfigured guest user profile was sufficient. The absence of an authentication requirement made the attack easier to automate at scale and harder for organizations to detect, since the traffic looked like ordinary browser activity. Credential-free
3. CRM data exposure feeds the next attack layer. Names and phone numbers extracted from a Salesforce portal are not the end goal. They are the raw material for targeted vishing campaigns that impersonate IT staff or executives with enough specific knowledge to be convincing. The data theft and the social engineering phase are parts of the same operation, separated by weeks or months. Kill chain
4. The highest-impact remediation is single and specific. Removing the API Enabled permission from the guest user profile closes the primary attack vector used in this campaign. Salesforce identified this as the single highest-impact change an administrator can make. Organizations that have not yet reviewed their guest user profile settings should treat this as an urgent action item, not a scheduled maintenance task.
5. SaaS misconfiguration is systemic risk, not individual error. Amir Khayat, co-founder and CEO of Vorlon, described the core pattern: attackers found that a large number of Experience Cloud sites had guest user permissions set too broadly, then built specialized tooling to scan for and exploit that condition across hundreds of organizations at once. (Vorlon, March 2026) The breadth of the alleged impact — 300 to 400 organizations — reflects how widespread this misconfiguration pattern is across the Salesforce customer base, not a failure unique to any single organization. At Scale

The shift from credential-based initial access to configuration-based initial access represents a meaningful tactical evolution for the threat actors involved. When the attack surface is a misconfiguration rather than a credential, phishing-resistant MFA and password hygiene provide no protection. The relevant control is configuration hygiene: knowing exactly what your public-facing systems expose, to whom, and under what conditions. For organizations running Salesforce Experience Cloud, that audit is no longer optional.