Most security investigations start with a question and end with a log search. This one started with a log search and ended with a discovery no one else had made yet.
When news of the Salesloft-Drift supply chain breach broke in August 2025, Obsidian threat researcher Damien Miller-McAndrews opened a notebook, wrote a query, and ran it. Not against one customer's environment, but across all of them simultaneously. Thirty minutes later, he had a list of every impacted organization in Obsidian's customer base. He also had something nobody else was reporting yet: Google Workspace was in scope too.
That's the difference cross-tenant intelligence makes in practice. But to understand why it matters, you have to understand what made this attack so hard to see in the first place.
Previous ShinyHunters campaigns targeted individual companies by social engineering employees into approving malicious connected apps, then exfiltrating Salesforce data one organization at a time. Effective, but constrained.
The Salesloft-Drift attack changed the calculus. Instead of going org by org, the threat actors compromised the OAuth tokens powering the Drift integration and used that access to pivot into the Salesforce and Google Workspace environments of every downstream customer. One breach, 700+ victims.
No phishing. No credential stuffing. No helpdesk social engineering. The integration was the access point.
This is the visibility problem at the root of SaaS supply chain risk. Within a single organization, an integration behaving oddly looks like a misconfiguration. There's no cross-customer comparison, no way to know whether you're seeing a developer testing a token or an attacker pivoting through your environment. Nothing in your own logs tells you that 699 other organizations are looking at the exact same thing right now.
When Mandiant released initial IOCs tied to the breach — IP addresses and user-agents associated with the malicious activity — security teams began searching their own logs. Most started with Salesforce. Most stopped there too.
Obsidian's normalized data doesn't work that way. Every event ingested across 200+ connected SaaS platforms is translated into consistent event types, unified timestamps, and a global entity ID that tracks human, non-human, and agentic identities across applications. An IP address appearing in a Salesforce audit log and a Google Workspace admin log resolves to the same entity. The data doesn't treat them as separate investigations so the analyst doesn't have to either.
Obsidian's first query returned every customer environment showing known Mandiant IOCs across all connected services. The Google Workspace signal was right there in the results. Obsidian surfaced that attack vector before anyone else had reported it, roughly two hours after the initial disclosure.
The second query pushed further: for every event matching a known IOC, find IPs and user-agents present in the same context that weren't on the list. Operating on the assumption that once attacker infrastructure is identified in a victim environment, additional related infrastructure is likely present as well, analysts uncovered a user-agent string, sf-export/1.0.0, that appeared consistently across multiple victim environments.
It wasn't in Mandiant's initial reporting. It didn't match any documented Salesforce tooling. Novel attacker infrastructure, hiding in the noise of legitimate integration activity. The expanded IOC list fed back into the original query, surfacing more environments, until the list stabilized.
Many customers were notified before their vendor had reached out. Some were notified after the vendor had told them they weren't impacted.
User-agent baselining. Legitimate integrations are consistent -- stable user-agents, predictable infrastructure, regular timing. Deviations are a high-yield signal, especially evaluated against historical integration behavior.
IP prevalence scoring. Suppress common ISPs and known-good ranges to reduce noise, but don't exclude trusted networks entirely. VPN compromise and corporate network intrusions happen. Blind spots in trusted locations are exploitable.
Cross-service identity correlation. UPN, email, and display name don't always match across SaaS platforms -- or even between event types within the same platform. Normalizing identity fields before joining event data is the prerequisite for any threat hunt that crosses application boundaries.
The Salesloft-Drift attack confirmed what Obsidian has been tracking for years: the attack surface in enterprise SaaS isn't primarily the user. It's the integration layer. Every OAuth grant, every connected application, every non-human identity in your environment is a potential access point, and most operate with limited visibility.
Cross-tenant intelligence resolved one part of that problem. The rest — integrations granted access without transparency, detections that don't correlate signals across systems — remain unsolved for most organizations.
That's where the work continues.
Damien Miller-McAndrews presented this research at Databricks Data + AI Summit, June 2026. For a deeper breakdown of supply chain attack mechanics, see Damien's Behind the Breach series on the Obsidian blog site.
In the wake of the Salesloft breach, we’re offering a free risk assessment of your Salesforce environment to help identify potential exposure. Click here to request yours.
Take a breather! In under 6 minutes, our demo breaks down the risks AI agents bring to your SaaS environment and how you can get ahead of them.
We're offering a free AI agent risk assessment—check it out.
The biggest SaaS breach of 2025 started with a compromised third-party app. Attackers then exploited Salesloft-Drift OAuth tokens, which granted them access to hundreds of downstream environments. Obsidian researchers found the blast radius of this supply chain attack was 10x greater than previous incidents, where attackers infiltrated Salesforce directly.
Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.
.avif)
