Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks

Leading cybersecurity firms are raising alarm bells over two highly agile and impactful cybercrime groups, Cordial Spider (also known by aliases such as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (identified as O-UNC-025 and UNC6661). These adversaries are executing "rapid, high-impact attacks" predominantly within the confines of Software-as-a-Service (SaaS) ecosystems, leaving a minimal forensic footprint and presenting significant challenges for corporate defenders. Their campaigns are characterized by a remarkable degree of operational similarity, focusing on high-speed data theft and extortion.

According to a recent report from CrowdStrike’s Counter Adversary Operations, both groups have been actively engaged in malicious activities since at least October 2025. Snarky Spider, in particular, is noted for being a native English-speaking crew, suggesting a sophisticated command of social engineering tactics, and has established ties to "The Com," a burgeoning e-crime ecosystem indicative of a broader trend of collaboration and specialization within the cybercriminal underworld.

The Modus Operandi: Vishing, AiTM, and SaaS Exploitation

The core of these groups’ attack methodology revolves around highly refined voice phishing (vishing) campaigns. Vishing is a social engineering technique that uses telephony to trick individuals into divulging sensitive information or performing actions that compromise their security. In the hands of Cordial Spider and Snarky Spider, this involves impersonating IT staff or other trusted personnel to direct targeted users to malicious, Single Sign-On (SSO)-themed adversary-in-the-middle (AiTM) pages.

An AiTM attack is a sophisticated form of man-in-the-middle attack where the attacker positions themselves between a user and a legitimate service (in this case, an SSO login portal). When a user attempts to log in, their credentials and session tokens are intercepted by the attacker’s proxy server before being forwarded to the legitimate service. This allows the attacker to capture authentication data, including session cookies, which can then be used to bypass multi-factor authentication (MFA) and gain unauthorized access to an organization’s SaaS applications.

"In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications," CrowdStrike detailed in its report. This direct pivot into SSO-integrated SaaS applications represents a strategic shift for cybercriminals, leveraging the convenience and interconnectedness of modern cloud environments against their users. By compromising the Identity Provider (IdP) – the central system that authenticates users for multiple SaaS applications – attackers gain a "golden key" to an organization’s entire cloud ecosystem, circumventing the need to breach individual applications.

Stealth and Speed: The Defenders’ Dilemma

A critical aspect of these groups’ success lies in their ability to operate with extreme stealth and speed. "By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact," CrowdStrike emphasized. This approach creates a formidable challenge for cybersecurity defenders, as malicious activities often blend seamlessly with legitimate user actions within cloud platforms, making detection and visibility extremely difficult. The combination of rapid execution, precision targeting, and SaaS-only activity significantly reduces the window for detection and response.

The speed of these operations is particularly alarming. As illustrated by CrowdStrike’s analysis, Snarky Spider, for instance, has demonstrated the capability to initiate data exfiltration in under an hour from initial compromise. This compressed timeline leaves organizations with minimal opportunity to identify and mitigate the threat, often only discovering the breach after sensitive data has already left their control.

Chronology of a Growing Threat

The cybersecurity community’s understanding of these groups has evolved through a series of collaborative intelligence disclosures:

• October 2025: Both Cordial Spider and Snarky Spider are assessed to have become active, marking the beginning of their high-impact campaigns.
• January 2026: Google-owned Mandiant published a pivotal report, revealing that these two clusters signify an expansion of threat activity consistent with the extortion-themed attacks previously associated with the infamous ShinyHunters group. Mandiant’s research highlighted the adversaries’ tactic of impersonating IT staff during calls to manipulate victims into revealing credentials and MFA codes through phishing pages. This early warning underscored the escalating sophistication of social engineering employed by these groups.
• February 2026: Specifically, the CL-CRI-1116 cluster (Cordial Spider/BlackFile) began actively targeting the retail and hospitality sectors. This indicated a focused industry-specific campaign, likely exploiting the often-distributed and customer-facing nature of these businesses, which can present larger attack surfaces.
• April 2026: Just last week, a joint assessment by Palo Alto Networks Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) provided further insights. They concluded with moderate confidence that the attackers behind CL-CRI-1116 are highly likely associated with "The Com." This report further detailed that these intrusions heavily rely on living-off-the-land (LotL) techniques, utilizing legitimate system tools and functions already present in the compromised environment to avoid detection. Additionally, the use of residential proxies was identified as a key tactic to mask the attackers’ true geographic location and bypass basic IP-based reputation filters, adding another layer of obfuscation. "CL-CRI-1116 activity has been actively targeting the retail and hospitality space since February 2026, specifically leveraging vishing attacks impersonating IT help desk personnel in combination with phishing login sites to steal credentials," noted researchers Lee Clark, Matt Brady, and Cuong Dinh in their assessment.
• May 01, 2026: CrowdStrike issues its comprehensive warning, synthesizing the intelligence from various sources and providing an updated view on the groups’ tactics, techniques, and procedures (TTPs).

Evasion and Exfiltration: A Detailed Look

Upon successfully capturing authentication data, these groups employ several techniques to maintain access and escalate privileges:

1. MFA Bypass and Persistence: A critical step involves registering a new device to bypass existing MFA protections. To cover their tracks and prevent immediate detection, the attackers remove existing registered devices and then configure inbox rules within the victim’s email account. These rules automatically delete automated email notifications related to unauthorized device registrations, effectively silencing alerts that might tip off the victim or security teams.
2. Internal Reconnaissance and Privilege Escalation: The adversaries pivot to targeting high-privileged accounts. This is often achieved through further social engineering, sometimes by scraping internal employee directories to identify key personnel. Once elevated access is secured, they move into the target SaaS environments to locate high-value files and business-critical reports.
3. Targeted Data Theft: The focus is on sensitive information stored in popular SaaS platforms such as Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce. This data can range from customer databases and financial records to intellectual property and internal communications.
4. Exfiltration to Controlled Infrastructure: Once identified, the data of interest is rapidly exfiltrated to infrastructure controlled by the threat actors. The "speed to impact" observed, particularly with Snarky Spider, highlights the urgency with which these operations are carried out, minimizing the window for defensive action.

"In most observed cases, these credentials grant access to the organization’s identity provider (IdP), providing a single point of entry into multiple SaaS applications," CrowdStrike elaborated. "By abusing the trust relationship between the IdP and connected services, the adversaries bypass the need to compromise individual SaaS apps and instead move laterally across the victim’s entire SaaS ecosystem with a single authenticated session." This exploitation of IdP trust relationships is a hallmark of sophisticated cloud-native attacks.

Broader Implications and Industry Response

The activities of Cordial Spider and Snarky Spider underscore several critical trends in the evolving cyber threat landscape:

• The Rise of SaaS as a Primary Attack Surface: As organizations increasingly migrate critical operations and data to cloud-based SaaS applications, these platforms become prime targets for cybercriminals. The perceived security of cloud providers does not negate the risks associated with compromised user credentials.
• Sophistication of Social Engineering: The reliance on vishing and impersonation highlights the continued effectiveness of human-centric attacks. Even with robust technical controls, a well-executed social engineering ploy can bypass layers of security. This necessitates continuous, advanced security awareness training for all employees, focusing on identifying sophisticated phishing and vishing attempts.
• The "Cybercrime Merger" Phenomenon: The ties to "The Com" and ShinyHunters suggest a growing trend of collaboration, specialization, and shared infrastructure among cybercrime groups. This "e-crime ecosystem" allows for the pooling of resources, expertise, and attack tools, making individual groups more potent and adaptable.
• Challenges for Detection and Response: The "minimal footprint" and "living-off-the-land" tactics make these attacks particularly difficult to detect with traditional security tools. Organizations need advanced threat detection capabilities tailored for SaaS environments, including continuous monitoring of user behavior, identity provider logs, and cloud application activity.
• Economic and Reputational Impact: High-speed data theft followed by extortion can have devastating consequences for victim organizations, leading to significant financial losses, regulatory fines, reputational damage, and loss of customer trust. The retail and hospitality sectors, with their vast customer data and transactional volumes, are particularly vulnerable.

Recommendations for Enhanced Security

To counter the sophisticated tactics of groups like Cordial Spider and Snarky Spider, organizations must adopt a multi-layered security strategy:

1. Strengthen Identity and Access Management (IAM): Implement robust MFA across all accounts, especially for administrators and privileged users. Consider phishing-resistant MFA solutions like FIDO2 security keys. Regularly review and audit IdP configurations and access policies.
2. Employee Security Awareness Training: Conduct regular, comprehensive training sessions that include simulations of vishing and phishing attacks. Educate employees on the dangers of impersonation, how to verify requests, and the importance of not clicking suspicious links or providing credentials over the phone.
3. Enhanced Monitoring of SaaS Environments: Deploy advanced security tools capable of monitoring user behavior, API calls, and data flows within SaaS applications. Look for anomalous activities, such as unusual login locations, rapid data downloads, or configuration changes.
4. Incident Response Planning: Develop and regularly test incident response plans specifically tailored for cloud environments. This includes procedures for detecting, containing, eradicating, and recovering from SaaS-based breaches.
5. Zero Trust Architecture: Adopt a Zero Trust security model, which assumes no user or device should be trusted by default, regardless of whether they are inside or outside the network perimeter. This requires strict verification before granting access to resources.
6. Regular Security Audits and Penetration Testing: Conduct frequent security audits of SaaS configurations and perform penetration tests to identify potential vulnerabilities in both technical controls and human processes.

The ongoing battle against cybercrime groups like Cordial Spider and Snarky Spider underscores the dynamic nature of the threat landscape. As adversaries evolve their tactics to exploit the conveniences of modern cloud infrastructure, cybersecurity defenses must adapt rapidly, focusing on comprehensive identity protection, advanced threat detection in SaaS, and a well-informed human firewall. The shared intelligence from leading cybersecurity firms serves as a critical call to action for organizations worldwide to bolster their defenses against these increasingly prevalent and impactful attacks.