Proactive Identity Defense: Preventing a Supply Chain Breach

Published on
September 23, 2025
|
Written by
Ashish Shah
Share
Copy link
Copy URL

Proactive Identity Defense: Preventing a Supply Chain Breach

By Ashish Shah

The recent attack on Salesloft and its impact on hundreds of Salesforce instances highlights a critical vulnerability in modern enterprise environments. The incident did not involve a direct breach of Salesforce, but rather the compromise of a Non-Human Identity (NHI)—specifically, an OAuth token belonging to the Salesloft connected app. An attacker compromised the token and used it to exfiltrate data from Salesforce.

Below we outline how Andromeda thinks about a compromise like this and the steps that can be taken to detect anomalous identity activity and thwart a breach.

Andromeda's approach is centered on understanding and baselining the behavior of every identity, both human and non-human. We inventory all identities, rightsize permissions, and tie every NHI to a human owner.  Upon deployment, Andromeda creates a dynamic risk profile for each NHI by learning its normal activity patterns, including:

  • Client IPs: Tracking and inventorying all client IPs used by an NHI.
  • API Usage Patterns: Learn the behavior pattern, including the frequency distribution of the different APIs per client IP.

Using this context, Andromeda can immediately identify deviations from the established baseline. In a case similar to the Salesloft breach, Andromeda would detect two key anomalies:

  1. If a new client IP was used for the NHI, which had not been seen before.
  2. If the behavior pattern of this new client IP was drastically different from that of existing, legitimate clients. The attacker's behavior—bulk data extraction—would not have aligned with the NHI’s normal, benign API usage.

Using the Salesloft breach as an example:
Andromeda would instantly flag this activity. Recognizing that the NHI owner (in this example: the enterprise user who owns the Salesloft NHI) was not the compromised entity, Andromeda would take the following automated actions:

  • Zero Out Permissions: Drop the privileges for the connected App, blocking access to Salesforce from any of the Salesloft clients.
  • Notify the NHI Owner: A real-time notification would be sent to the NHI’s human owner, detailing the detection of a new client IP with an unaligned usage pattern.
  • Revoke the Compromised Token: The stolen OAuth token would be automatically and instantly revoked, severing the attacker's access and preventing any further misuse.

By focusing on behavioral anomalies rather than relying on static security measures, Andromeda provides robust, proactive identity security to ensure that compromised credentials are detected, alerted, and revoked so they will not result in a breach. 

If you would like to learn more, please reach out for a demonstration.

Proactive Identity Defense: Preventing a Supply Chain Breach

By Ashish Shah

The recent attack on Salesloft and its impact on hundreds of Salesforce instances highlights a critical vulnerability in modern enterprise environments. The incident did not involve a direct breach of Salesforce, but rather the compromise of a Non-Human Identity (NHI)—specifically, an OAuth token belonging to the Salesloft connected app. An attacker compromised the token and used it to exfiltrate data from Salesforce.

Below we outline how Andromeda thinks about a compromise like this and the steps that can be taken to detect anomalous identity activity and thwart a breach.

Andromeda's approach is centered on understanding and baselining the behavior of every identity, both human and non-human. We inventory all identities, rightsize permissions, and tie every NHI to a human owner.  Upon deployment, Andromeda creates a dynamic risk profile for each NHI by learning its normal activity patterns, including:

  • Client IPs: Tracking and inventorying all client IPs used by an NHI.
  • API Usage Patterns: Learn the behavior pattern, including the frequency distribution of the different APIs per client IP.

Using this context, Andromeda can immediately identify deviations from the established baseline. In a case similar to the Salesloft breach, Andromeda would detect two key anomalies:

  1. If a new client IP was used for the NHI, which had not been seen before.
  2. If the behavior pattern of this new client IP was drastically different from that of existing, legitimate clients. The attacker's behavior—bulk data extraction—would not have aligned with the NHI’s normal, benign API usage.

Using the Salesloft breach as an example:
Andromeda would instantly flag this activity. Recognizing that the NHI owner (in this example: the enterprise user who owns the Salesloft NHI) was not the compromised entity, Andromeda would take the following automated actions:

  • Zero Out Permissions: Drop the privileges for the connected App, blocking access to Salesforce from any of the Salesloft clients.
  • Notify the NHI Owner: A real-time notification would be sent to the NHI’s human owner, detailing the detection of a new client IP with an unaligned usage pattern.
  • Revoke the Compromised Token: The stolen OAuth token would be automatically and instantly revoked, severing the attacker's access and preventing any further misuse.

By focusing on behavioral anomalies rather than relying on static security measures, Andromeda provides robust, proactive identity security to ensure that compromised credentials are detected, alerted, and revoked so they will not result in a breach. 

If you would like to learn more, please reach out for a demonstration.

Share
Copy link
Copy URL
Download

Risk-based Identity Solution that brings you closer to Zero Trust

Contact us today for a Demo or free risk assessment