The education technology community is responding to a significant security incident: Instructure’s Canvas LMS was the subject of a breach disclosed on May 1, 2026, with the threat actor group ShinyHunters claiming responsibility. If your institution relies on Canvas — and integrates it with Microsoft 365 or Entra ID — there are immediate steps worth reviewing.
Here’s what Forsyte IT Solutions is doing, what we know, and what you should consider right now.
What Happened
On May 1, 2026, Instructure disclosed a security incident affecting Canvas LMS. ShinyHunters, a threat actor group with a documented history of large-scale data theft and extortion, claimed responsibility. Full details about the scope, breadth, and containment of the incident remain limited at this time.
What makes this incident particularly relevant for Microsoft 365 administrators is the deep integration that many institutions have established between Canvas and their Microsoft tenant — including LTI tools, SAML-based single sign-on, service principals, and API-connected app registrations.
What Forsyte IT Solutions Is Doing
Our team moved quickly after the disclosure. We have:
- Increased SOC monitoring coverage with specific guidance to analysts on this evolving situation
- Implemented recurring threat hunts that continuously refine as new data emerges about exposure, indicators of compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs)
- Actively scanning trusted threat intelligence feeds for IOCs that qualify for inclusion in the Guardian 365 IOC feed
- Evaluating high-impact custom detection rules that we can recommend or deploy on customer behalf, based on established preferences
As the IOC profile of this incident sharpens, we will continue refining our detection logic and communicating updates through this channel.
What We Have NOT Observed
As of this writing, our SOC has not observed a confirmed successful compromise of any Entra ID or Microsoft 365 environment resulting directly from the Canvas breach across our customer community.
This is an objective statement based on the evidence we have reviewed — not a guarantee about future events or activity outside our visibility.
The Risk to Your Microsoft 365 Tenant
Our assessment is that there is an elevated but unconfirmed risk associated with leaving enabled Canvas-related integrations, app registrations, and service principals active in your tenant. This reflects the limited public information available — not a direct observation of harm.
With that posture in mind, administrators should audit the following known Canvas / Instructure-related entities in Entra ID:
| Entity | How to Find |
| Microsoft 365 LTI for Canvas | App ID: db6f2704-3d25-4d9d-a8ed-a3ef47689f5f · Reply URLs include m365lti.edu.cloud.microsoft |
| OneDrive LTI | Reply URLs include onedrivelti.microsoft.com or onedrivelti.edu.cloud.microsoft |
| Canvas-published service principals | Publisher = Instructure · Reply URL / Identifier URI contains .instructure.com or lti.instructure.com |
| Canvas SAML / SSO app registrations | Reply URL or Identifier URI matches <your-org>.instructure.com |
| LTI / Caliper Analytics tools | Review case-by-case; some Canvas-specific analytics integrations use this name |
Note: This list is a starting reference, not a complete inventory. Any internal or Canvas-provided list your team already maintains should take precedence.
Your Configuration Options
For each entity identified, administrators have four reasonable paths:
- Leave in place — Guardian 365 custom detections and threat hunts are operating with elevated vigilance on Canvas integration points.
- Scope down — Remove API permissions from the app registration and/or corresponding Enterprise App.
- Temporarily disable — Block sign-in, disable associated identities, or strip permissions while the picture clears.
- Remove entirely — De-permission, disable, and/or delete the entity from your tenant.
Each path carries operational tradeoffs that only your team can weigh. Your Guardian 365 team is ready to help you navigate those decisions.
A Note on Shared Intelligence
Threat intelligence is a shared endeavor — especially during incidents that affect an interconnected vertical like education. If you have observed related threat activity in your environment, or are aware of indicators or guidance from verifiable sources you are authorized to share, please send them to support@forsyteit.com. We will validate, incorporate relevant findings into our hunts, and where appropriate, share them with the full Guardian 365 EDU customer community.
Guardian 365 is Forsyte IT Solutions’ managed security service for Microsoft 365, Entra ID, and Defender XDR. Questions about this advisory or your security posture? Reach us at Information@forsyteit.com.
