Klue OAuth breach fuels 'Icarus' Salesforce data theft spree

A breach of the Klue platform's OAuth integration has been linked to the 'Icarus' extortion campaign, which is actively stealing Salesforce CRM data from multiple organizations. The compromise affects Klue's Battlecards application, now the third integrated app to be leveraged in these attacks.

According to BleepingComputer, the actor behind the 'Icarus' threat group is using the compromised OAuth token to access Salesforce environments and exfiltrate customer relationship management records. Dark Reading adds that victims include Huntress, a cybersecurity vendor, highlighting the broad reach of the campaign.

Technical details remain under investigation, but the attack relies on abusing legitimate OAuth permissions granted to Klue's application. This allows the attackers to move laterally within Salesforce without triggering traditional phishing or credential theft alerts.

No patch or fix has been announced for the underlying Klue application vulnerability. Organizations using Klue's Battlecards are advised by both sources to audit OAuth permissions, rotate API keys, and monitor for anomalous data access patterns. Salesforce has not issued a public statement as of press time.

Attribution of the Icarus group remains unclear, though the operation's sophistication suggests a well-resourced threat actor. This incident underscores the growing risk of supply chain attacks through third-party OAuth integrations in SaaS ecosystems.