Initial entry vectors
OAuth phishing
Method Vishing call impersonating IT support
Action User approves malicious connected app
Result OAuth token granted
Third-party app compromise
Method Trusted integration (e.g. Salesloft, Drift) breached
Action Existing OAuth tokens reused at scale
Result Downstream tenant access
Stolen credentials + MFA bypass
Method Phished SSO credentials, harvested MFA code
Action Attacker logs in and swaps weak MFA factor
Result Persistent session access
Attacker playbook
1 Authenticate
T1078 · T1528 · T1110

Attacker uses the obtained credential, token, or session to log in. May test weak MFA factors (SMS, email) and swap them on the victim account to establish persistence.

LoginEvent · IdentityVerificationEvent login_type: Remote Access 2.0
2 Enumerate resources
T1619 · T1518

Attacker profiles the tenant: queries /limits/ to learn API thresholds, lists all objects via /sobjects, then counts rows in sensitive tables (Account, Contact, User, Case) to scope the exfiltration.

ApiEvent · RestApi LimitSnapshot · /sobjects · SELECT COUNT()
3 Extract data
T1530 · T1213

Attacker pulls data using REST queries, Bulk API jobs, report exports, or file downloads — often staying within discovered API limits to avoid detection.

BulkApi · ReportEvent · ContentDocumentEvent high row counts · novel IP · off-hours
Step 4
Ransom exfiltrated data

Attacker threatens to publish or sell stolen customer records, deal data, and PII unless a ransom is paid. Speed of detection between steps 2 and 3 is the primary window to contain the incident.

Datadog Security Labs