Delivery Technique
The important feature of the Drift-style scenario is not a fake login page. It is trusted delegated access. Reporting on the incident described stolen OAuth tokens tied to a third-party integration being used to access Salesforce data across customer environments. The app relationship was real, which means normal MFA-centered defenses were not the control point.
Defensive Gaps
Many organizations review vendors as companies but do not separately model the permissions held by each integration. That misses the operational question defenders need during an incident: if this app token is compromised, which tenants, users, records, mailboxes, files, and downstream credentials are exposed?
Control Design
Add token blast radius to third-party risk. For each major SaaS integration, record the connected platform, authorization model, scopes, token owner, token storage assumptions, data types reachable, IP restrictions, proof-of-possession support, logging depth, and revocation procedure. Keep that map close to incident response, not buried in procurement notes.
Rollout Risks
The cleanup phase can be bigger than the breach. CRM and support data often includes API keys, temporary passwords, architecture notes, customer contacts, and enough context to fuel follow-on phishing. Containment should include data review and credential rotation, not only disconnecting the integration.
Recommended Controls
Practice a SaaS token incident tabletop: revoke the app, rotate related credentials, identify affected objects, notify business owners, and monitor for follow-on phishing using exposed customer or support context. Stronger controls include least-privilege scopes, user assignment, IP allowlists where platforms support them, and logs that survive attacker cleanup attempts.