The new Optery 2026 Enterprise Social Engineering Survey Report should make every CISO stop and ask a very uncomfortable question: Are we actually stopping identity attacks, or are we just pretending? The report surveyed 421 enterprise cybersecurity professionals, mostly senior leaders across large companies. The findings are blunt: 96% report an increase in targeted social engineering attacks over the past year. Nearly 75% report credential compromise resulting from targeted social engineering. 89.8% say recent attacks were highly or moderately personalized.

Salesforce has become one of the most valuable data platforms in the enterprise. It holds customer records, donor data, sales pipelines, financial history, case notes, reports, workflows, integrations, and privileged administrative controls. For many organizations, Salesforce is not just a CRM. Salesforce is the front door to the business. That is why Salesforce security is changing so quickly.

Here’s How Enterprises Using TokenCore Devices Should Respond. The FBI and CISA recently issued a public warning about a rapidly growing attack technique abusing Microsoft 365 "device code flow" authentication. The advisory explains how attackers are using legitimate OAuth authorization workflows to gain persistent access to enterprise Microsoft 365 environments without stealing passwords or bypassing MFA in the traditional sense. This is an important moment for the industry because it highlights a larger truth: Strong authentication alone is no longer enough.

Tokens customers are fully protected. Carnival’s customers were not. Carnival Corp. has disclosed another cybersecurity incident, and the pattern should look familiar by now. According to Reuters, the company said an employee account was compromised in April after social engineering was used to deceive an employee and gain access to data. The exposed information included names, addresses, and government issued identification numbers.

Grafana recently disclosed that an unauthorized party obtained a token granting access to the company’s GitHub environment and used it to download portions of its codebase. Grafana confirmed that no customer data or personal information was accessed, invalidated the compromised credentials, and applied additional controls. The response was fast, and the containment was effective.

The Foxconn incident tied to the Nitrogen ransomware group is instructive — not because it reveals new attack techniques, but because it confirms a structural shift in how enterprise environments are compromised. Attackers are no longer primarily exploiting unpatched software. They are compromising identity systems, inheriting trusted sessions, and moving laterally through legitimate administrative pathways. This is not an emerging trend. It is the established model.

Insurance carriers are not being targeted because their security teams have failed. They are being targeted because their operating model exposes identity at scale, and attackers know exactly where that exposure sits.

Canvas was not compromised one school at a time. The breach appears to have originated at a single, high-trust layer—the privileged access tier that spans the entire platform. The evidence now supports a clear conclusion: this was almost certainly an identity compromise at the privileged access layer. Not a student credential incident. Not 9,000 separate school intrusions. Not a novel zero-day exploit that somehow reached every campus simultaneously.

A repeatable, industrialized attack pattern is compromising Salesforce environments across regulated industries. The vulnerability is not in Salesforce. It is in the authentication model that controls access to it.

CrowdStrike is now tracking two financially motivated threat groups—Cordial Spider and Snarky Spider—that are systematically targeting identity platforms and SaaS environments across aviation, retail, financial services, healthcare, legal, and technology sectors. Their methods: voice phishing, social engineering, and spoofed SSO pages. Their objective: valid access, obtained without defeating a single firewall.

When a cloud platform makes headlines for a breach, attention falls on the platform. Was there a vulnerability? Was encryption broken? Was access control misconfigured? In the Snowflake-related incidents, those questions are the wrong ones. Snowflake was not breached. The platform performed exactly as designed. What failed was identity.

OAuth phishing has fundamentally changed the identity attack surface. It does not defeat MFA — it renders MFA irrelevant. Classic phishing targets credentials. OAuth phishing targets authorization. Attackers trick users into granting access to a malicious application. The user never enters a password. No MFA prompt appears. The attacker receives a valid OAuth token and gains persistent access — entirely within the normal login flow.