A wave of Salesforce data thefts linked to the Icarus campaign has claimed a third victim: Klue, a competitive intelligence platform whose Battlecards application integrates with Salesforce to give sales teams real-time data about deals and accounts. Among the confirmed victims of the compromise is Huntress, the managed detection and response (MDR) cybersecurity company.
Three Apps, One Campaign
The Klue compromise marks the third integrated Salesforce application to be weaponized in the Icarus data theft campaign, following earlier incidents involving other SaaS applications that connected to Salesforce customer organizations via OAuth tokens or API integrations.
The pattern is consistent across all three incidents: attackers compromise the third-party application's infrastructure or credential store, then use the application's pre-existing Salesforce API access to extract customer data at scale. Because these integrations often hold long-lived, broadly scoped OAuth tokens or API credentials authorized by Salesforce customers themselves, a single app compromise can cascade into dozens or hundreds of downstream Salesforce environments.
The earlier two incidents were linked through shared infrastructure and attack methodology, now collectively tracked as the Icarus campaign — named for the theme of reaching too high (over-permissioned OAuth access) leading to a fall (cascading data loss).
Klue Battlecards: High-Value Salesforce Access
Klue's Battlecards product is designed to surface competitive intelligence directly within Salesforce workflows — pulling deal data, account information, and opportunity records to help sales teams respond to competitive situations. This tight Salesforce integration means the app's access token can read sensitive commercial data including:
- Customer account and contact information
- Deal values, pipeline stages, and revenue data
- Sales notes and communication history
- Custom fields containing internal business intelligence
For an attacker with access to Klue's Salesforce integration credentials, this represents a rich data source across all of Klue's customer organizations — a single breach with a very wide blast radius.
Huntress Confirmed as Victim
Huntress, which provides managed threat detection and response services to small and medium-sized businesses and managed service providers, has confirmed it was among the organizations whose Salesforce data was accessed through the Klue compromise. Huntress's confirmation is notable both because the company is a cybersecurity vendor (demonstrating that even security-focused organizations can be caught in third-party supply chain breaches) and because Huntress has itself been actively tracking and disclosing supply chain attacks against its partners and customers.
Huntress has stated that customer security data managed through its MDR platform was not accessed in this incident — the exposure was limited to Salesforce CRM data managed through the Klue integration.
The Icarus Problem: OAuth Sprawl at Scale
The broader campaign highlights what security researchers have increasingly flagged as one of the most underappreciated enterprise risk vectors: SaaS-to-SaaS OAuth sprawl.
Modern enterprises authorize dozens or hundreds of third-party applications to access their Salesforce, Microsoft 365, Google Workspace, and other SaaS platforms. Each authorization grants the third-party app ongoing access — often with broader permissions than strictly necessary — through tokens that may never expire unless explicitly revoked.
This creates a security dynamic where an organization's data security is only as strong as the weakest link in its entire SaaS ecosystem. A breach at any integrated application can expose data across all its customers, regardless of those customers' own security posture.
Security recommendations stemming from the Icarus campaign include:
Regular OAuth token audits: Review all third-party applications authorized to access Salesforce and other critical SaaS platforms. Remove unused integrations and revoke tokens from applications no longer in active use.
Least-privilege OAuth scopes: When authorizing integrations, grant only the specific Salesforce object access the application needs — not the broad "full access" scope many applications request by default.
Third-party app security assessments: Before authorizing a SaaS integration with access to Salesforce CRM data, evaluate the application vendor's security posture, including their SOC 2 compliance status, incident response capabilities, and data handling practices.
Connected app monitoring: Salesforce provides logging for connected application access. Monitor these logs for anomalous access patterns — large data exports, access from unexpected IP ranges, or API calls outside normal business hours.
Rapid revocation capabilities: Maintain the ability to quickly revoke all tokens for a specific third-party integration if a compromise is suspected. Documented runbooks for this process can significantly reduce breach impact when a third-party app is compromised.
Outlook
With the third Icarus-linked incident now confirmed, security teams managing Salesforce environments should treat this campaign as ongoing. The attackers behind Icarus have demonstrated the ability to compromise multiple SaaS application vendors in succession, suggesting either a systematic targeting approach or a common vulnerability class across SaaS application backends.
Organizations should not wait for their specific integrated applications to appear on an Icarus victim list — auditing and trimming OAuth integrations is a preventive action that reduces risk regardless of which specific apps are targeted next.
Source: Dark Reading