Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The French luxury conglomerate, Kering, recently confirmed a data breach affecting millions of customers. As a Paris-based luxury group, it has a portfolio of houses in fashion and jewelry. Some of its stable brands include Alexander McQueen, Balenciaga, and Gucci. The cybercriminal group, ShinyHunters, claimed responsibility for the attack. Unlike traditional ransomware groups, which would encrypt the data, they usually monetize by extortion to sell the information on secret forums.

In our previous post, The ABC’s of Ishing, we broke down the foundational tactics used by cybercriminals to deceive users and gain unauthorized access. This follow-up report expands on that foundation by exploring three evolving phishing threats that go beyond traditional email lures. Angler Phishing, Calendar Phishing, and Captcha Phishing each exploit trust in everyday digital tools—social media platforms, calendar invites, and CAPTCHA challenges.

Established in 1939, the Fairmont Federal Credit Union has set itself apart as a non-profit financial company rooted in West Virginia. For over eighty years, the organization has operated to provide accessible financial services and education programs to its membership. The company emphasizes community support and personalized service rather than profit-making. Fairmont Federal Credit has nine branches across the state of West Virginia.

As one of the most prestigious Ivy League institutions, Columbia University has centered on offering transformative educational experiences combining liberal arts training with the resources of a world-class research university. Its goal is to prepare students to become civic-minded leaders and lifelong learners. It was established in 1754 as King’s College following a royal charter under King George II, which made it the fifth-oldest institution of higher learning in the United States.

This was not a brute-force intrusion, the attackers persuaded or tricked systems into granting long-lived access, then quietly exploited that trust.

Attackers stole OAuth tokens tied to the Salesloft Drift integration, then used those valid tokens to call Salesforce APIs and export data. This is token abuse via a third-party Connected App, not a core Salesforce bug. Focus your response on governance and validation: revoke and rotate, re-enable with least privilege, and use Salesforce Event Monitoring to verify detections. What happened.

The Drift OAuth breach didn’t just expose one SaaS vendor — it exposed a systemic blind spot: the sprawling, ungoverned world of Non-Human Identities. In case you missed it, in August 2025, attackers from UNC6395 exploited compromised OAuth tokens from Salesloft’s Drift integration—an AI chat tool—to access and exfiltrate data from Salesforce, including credentials like AWS keys and Snowflake tokens.

A widespread supply chain attack has impacted hundreds of organizations through the marketing software-as-a-service (SaaS) product, Drift, owned by Salesloft. The campaign, attributed to a threat group tracked by Google as UNC6395, is believed to have occurred between August 8 and August 18, 2025. The attackers used stolen OAuth and refresh tokens associated with Drift's AI chat agent to access the systems of impacted companies.