This Week in Third-Party Breaches: Emergency Alert Systems, SaaS Platforms, and Collaboration Tools Under Attack

The week of November 24-28, 2025, within five days, we witnessed a ransomware attack that crippled emergency notification systems across hundreds of US municipalities, an OAuth token abuse campaign that compromised over 200 enterprise Salesforce instances, and the disclosure of a critical Microsoft Teams architectural flaw that renders corporate security controls useless when employees join external tenants.

Each incident illustrates a different facet of third-party risk. Together, these demonstrate why the 2025 Verizon DBIR finding—that third-party breaches have doubled to 30%—demands immediate executive attention. This analysis breaks down what happened, why it matters, and what your organization should do right now.

Incident 1: CodeRED Emergency Alert System Ransomware Attack

What Happened

On November 24, 2025, municipalities across the United States began reporting that their CodeRED emergency notification systems were offline. The platform, operated by Crisis24 (via its OnSolve acquisition), enables cities, counties, and law enforcement agencies to send real-time alerts during emergencies, including severe weather, evacuations, gas leaks, and missing persons.

The attack was attributed to the INC Ransom ransomware group, which claimed to have gained initial access on November 1 and deployed file-encrypting ransomware on November 10. According to reports, INC Ransom initially demanded $950,000, later reduced to $450,000, but negotiations failed after Crisis24 reportedly offered only $100,000.

Critical Impact

•       System destruction: The attack damaged the CodeRED environment to such an extent that Crisis24 permanently decommissioned the legacy platform

•       Data exposure: Stolen data included names, addresses, email addresses, phone numbers, and passwords—reportedly stored in clear text

•       Geographic scope: Confirmed impact across Massachusetts, Colorado, Texas, Florida, North Carolina, Ohio, Kansas, Georgia, California, Utah, Missouri, Montana, and additional states

•       Vendor response: Douglas County, Colorado, and Cascade County, Montana, terminated their CodeRED contracts; Crisis24 is migrating customers to a new 'CodeRED by Crisis24' platform built from March 2025 backups

Key Lessons for IT Leaders

This incident exposes critical infrastructure to third-party vendor dependencies. When your emergency communication capability depends entirely on a single provider, ransomware against that provider becomes an attack on public safety. Cascade County Sheriff Jesse Slaughter stated that the week-long outage without notification caused 'serious loss of confidence in the company's product and reliability.'

Rhode Island Emergency Management Agency Director Marc Pappas captured the broader reality: "It's the world we live in now. Whenever there's a hack and a cyber incident, we just tell people to change their passwords." But for critical infrastructure, password changes aren't enough—organizations need redundant communication channels that don't rely on a single point of failure.

Incident 2: Salesforce/Gainsight OAuth Supply Chain Attack

What Happened

On November 19, 2025, Salesforce issued a security advisory warning of 'unusual activity' involving Gainsight-published applications connected to its platform. The investigation revealed that threat actors had compromised OAuth tokens to gain unauthorized access to customer Salesforce instances.

The ShinyHunters cybercrime group (also tracked as UNC6240) claimed responsibility, stating that it had leveraged credentials stolen during an earlier Salesloft Drift breach in which Gainsight was a victim. Google Threat Intelligence Group confirmed awareness of 'more than 200 potentially affected Salesforce instances.'

Attack Chain Analysis

1. Initial compromise: ShinyHunters breached Salesloft's GitHub account and obtained OAuth tokens for the Drift AI chat integration with Salesforce
2. Cascading access: Because Gainsight was a Salesloft Drift customer, the attackers gained credentials enabling deeper compromise
3. Reconnaissance: According to Salesforce indicators of compromise, attackers began reconnaissance from IP address 3.239.45.43 on October 23, 2025
4. Mass exploitation: Subsequent waves of reconnaissance and unauthorized access started on November 8, 2025
5. Detection lag: ShinyHunters claimed they verified minimal monitoring in Gainsight's systems and operated undetected for approximately one to two weeks

Confirmed and Claimed Victims

ShinyHunters claims the combined Salesloft and Gainsight campaigns affected 'almost 1000 organisations.' Named companies in their claims include Verizon, GitLab, F5, SonicWall, Atlassian, CrowdStrike, DocuSign, LinkedIn, Thomson Reuters, and others. Some organizations, such as Palo Alto Networks and DocuSign, have publicly confirmed that they took immediate containment measures but found no evidence of compromise.

Notably, the attackers threatened to create a dedicated data leak site for victims of both the Salesloft and Gainsight campaigns if Salesforce did not negotiate.

Why This Matters

This attack demonstrates the concept of fourth-party risk in action. Organizations using Gainsight were compromised not because of anything Gainsight did wrong initially, but because Salesloft, a Gainsight customer, was breached. Your vendors' vendors are your attack surface.

The attack also highlights the danger of OAuth token persistence. As Austin Larsen of Google Threat Intelligence Group noted: 'Adversaries are increasingly targeting the OAuth tokens of trusted third-party SaaS integrations.' These tokens often persist long after initial authorization, creating extended windows of opportunity for attackers.

Incident 3: Microsoft Teams Cross-Tenant Security Bypass

The Architectural Flaw

On November 26, 2025, security firm Ontinue published research revealing a critical security gap in Microsoft Teams' B2B Guest Access feature. The finding is not a software bug but an architectural reality: when employees accept guest invitations to external Microsoft 365 tenants, they lose all Defender for Office 365 protections provided by their home organization.

This means Safe Links scanning, Safe Attachments, Zero-hour Auto Purge (ZAP), and malware detection are determined entirely by the hosting tenant's configuration—not the user's employer. Attackers can create Microsoft 365 tenants with minimal or no security controls, creating what Ontinue calls 'protection-free zones.'

Why This Is Critical Now

Microsoft's November 2025 rollout of feature MC1182004 dramatically increased the attack surface. This feature—enabled by default—allows any Teams user to initiate chats with any email address, including people who are not currently using Teams. Recipients receive legitimate Microsoft invitations that bypass SPF, DKIM, and DMARC email checks.

The Attack Scenario

•       Attacker creates a basic Microsoft 365 tenant (Teams Essentials trial or Business Basic—low cost)

•       Attacker ensures tenant lacks Defender for Office 365 protections (default for basic SKUs)

•       Attacker sends guest invitation to target using MC1182004 feature

•       Victim receives legitimate-looking Microsoft email (passes all email authentication)

•       Victim accepts the invitation with a single click

•       All subsequent communication occurs in the attacker's tenant with zero protection—phishing links, malware, and data exfiltration proceed undetected by the victim's security stack

Shane Barney, CISO at Keeper Security, summarized the threat: 'The familiar interface can give the impression that security remains consistent, but the safeguards in place are entirely dependent on how the hosting tenant is configured.'

Context: CISA's November 24 Spyware Warning

Adding urgency to this week's events, CISA released an alert on November 24, 2025, warning that multiple threat actors are actively leveraging commercial spyware to target users of messaging applications, including Signal and WhatsApp. The agency cited Russian state-aligned groups abusing Signal's 'linked devices' feature, zero-click exploits targeting Samsung devices, and app impersonation campaigns.

Primary targets include current and former government officials, military personnel, political figures, and civil society organizations across the United States, the Middle East, and Europe. The techniques—QR code abuse for device linking, zero-click exploits, app impersonation—mirror the social engineering and trust exploitation seen in the enterprise incidents above.

A Framework for Response: Lessons from This Week

1. Eliminate Single Points of Failure for Critical Functions

The CodeRED incident demonstrates that critical communication capabilities cannot depend on a single vendor. Organizations should maintain backup notification channels (e.g., IPAWS for government, alternate SMS providers, social media protocols) that do not rely on shared infrastructure.

2. Audit OAuth Tokens and Third-Party Integrations

The Gainsight breach exploited persistent OAuth tokens across SaaS applications. Immediate actions: review all third-party applications connected to critical systems, such as Salesforce; revoke tokens for unused or suspicious applications; rotate credentials for active integrations; and implement continuous monitoring for anomalous API activity.

3. Govern Cross-Tenant Collaboration

The Microsoft Teams research reveals that 'security follows the resource tenant.' Protect your users by:

•       Restricting B2B guest invitations to allowlisted trusted domains in Microsoft Entra ID

•       Implementing cross-tenant access policies to block B2B collaboration by default

•       Disabling the MC1182004 'chat with anyone' feature if external collaboration isn't required

•       Training users to be suspicious of unsolicited Teams invitations

4. Map Fourth-Party Dependencies

The Gainsight attack chain (Salesloft → Gainsight → Customers) demonstrates that your vendors' security posture directly impacts you. Require vendors to disclose their critical third-party dependencies and include TPRM requirements in contracts.

5. Assume Breach in Incident Planning

All three incidents this week involved organizations that likely believed they had adequate security controls. Incident response plans must include scenarios where third-party compromise bypasses your direct security investments.

Immediate Action Checklist

If You Use CodeRED

1. Change any passwords reused from your CodeRED account immediately.
2. Monitor for phishing attempts leveraging stolen contact information.
3. Evaluate backup emergency notification capabilities.

If You Use Gainsight or Salesforce Integrations

1. Review Salesforce and Gainsight's published indicators of compromise.
2. Audit connected applications and revoke unused OAuth authorizations
3. Rotate credentials for S3 buckets, BigQuery, Zuora, Snowflake, and other connectors used with Gainsight.
4. Log in to Gainsight NXT directly rather than through Salesforce until integration is fully restored.

For All Microsoft 365 Organizations

1. Review External collaboration settings in Microsoft Entra ID → External Identities.
2. Consider restricting guest invitations to specific trusted domains.
3. Evaluate whether the MC1182004 feature should be disabled for your organization.
4. Brief employees on the risk of accepting external Teams invitations

Key Takeaways

1. Critical infrastructure is vulnerable: The CodeRED attack shows that emergency communication systems—designed to save lives—can be taken offline by ransomware attacks on third-party vendors.
2. OAuth tokens are high-value targets: The Gainsight breach demonstrates that attackers are increasingly targeting persistent authentication tokens across SaaS ecosystems.
3. Your security controls don't follow your users everywhere: The Microsoft Teams research proves that collaboration features can create 'protection-free zones' where corporate security investments are bypassed.
4. Fourth-party risk is real: Organizations were compromised through their vendors' vendors—a risk most TPRM programs don't adequately address
5. Default settings favor convenience over security: Microsoft's MC1182004 feature, enabled by default, dramatically expanded the attack surface for cross-tenant exploitation.

This week's incidents are not anomalies—they're the new normal. The 2025 Verizon DBIR finding that third-party breaches doubled to 30% is playing out in real-time. Organizations that fail to adapt their security strategies to address third-party, fourth-party, and cross-tenant risks will continue to find themselves victimized through their trusted business relationships.

References

CodeRED Incident:

•       BleepingComputer: 'OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide' (November 25, 2025)

•       SecurityWeek: 'Ransomware Attack Disrupts Local Emergency Alert System Across US' (November 26, 2025)

•       Malwarebytes: 'Millions at risk after nationwide CodeRED alert system outage and data breach' (November 27, 2025)

Gainsight/Salesforce Incident:

•       The Hacker News: 'Salesforce Flags Unauthorized Data Access via Gainsight-Linked OAuth Activity' (November 21, 2025)

•       TechCrunch: 'Google says hackers stole data from 200 companies following Gainsight breach' (November 21, 2025)

•       The Hacker News: 'Gainsight Expands Impacted Customer List Following Salesforce Security Alert' (November 27, 2025)

Microsoft Teams Research:

•       Ontinue: 'B2B Guest Access Creates an Unprotected Attack Vector' (November 26, 2025)

•       The Hacker News: 'MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants' (November 28, 2025)

•       TechRepublic: 'Microsoft Teams Guest Access Leaves Users Exposed to Attacks' (November 28, 2025)

CISA Alert:

•       CISA: 'Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications' (November 24, 2025)