Klue, Kali365, OAuth: When the
Front Door Is a Trusted Integration

In the Klue compromises threat actors walked in through a trusted integration, using legitimate credentials to quietly siphon Salesforce CRM data at scale. The challenge isn't just responding to Klue. It's recognizing that every OAuth-connected integration in your environment is part of your attack surface.

Join hosts Alexandra and John as they discuss:

• How compromised Klue integrations were leveraged to exfiltrate Salesforce CRM data
• Attribution and what it signals about the evolving data extortion landscape
• How Oauth token and device code theft is growing

Two questions your organization should be asking right now:

• How many third-party integrations in your environment have active OAuth access to platforms holding critical data — and when were they last audited?
• Do you have detections in place for unusual Salesforce API query volume and service account behavior that could signal an active exfiltration?

John Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.

Alexandra Moore: Manager of Threat Intelligence at ReliaQuest, where she leads intelligence analysis and customer dissemination to help organizations understand and respond to emerging cyber threats. Prior to this, she established and scaled monitoring across Russian-language cybercriminal platforms at Digital Shadows, building collection and analytical coverage to support digital risk protection capabilities.