Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks

Cybersecurity researchers are sounding the alarm about two highly capable cybercrime groups conducting "rapid, high-impact attacks" that operate almost entirely within SaaS environments, leaving minimal traces of their malicious activities. These sophisticated adversaries represent a new wave of extortion-focused threats that combine social engineering with identity abuse at an unprecedented speed.

The Threat Actors: Cordial Spider and Snarky Spider

The two clusters in question, Cordial Spider (also known as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (also known as O-UNC-025 and UNC6661), have been attributed to high-speed data theft and extortion campaigns that share remarkable operational similarities. Both groups have been active since at least October 2025, with Snarky Spider being a native English-speaking crew with ties to the e-crime ecosystem known as The Com.

"In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications," according to CrowdStrike's Counter Adversary Operations team in their recent report. "By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders."

Expanding Threat Landscape

In a report published in January 2026, Google-owned Mandiant revealed that these two clusters represent an expansion in threat activity that employs tactics consistent with extortion-themed attacks carried out by the ShinyHunters group. The modus operandi involves impersonating IT staff in calls to deceive victims and obtain their credentials and multi-factor authentication (MFA) codes through phishing pages.

"CL-CRI-1116 activity has been actively targeting the retail and hospitality space since February 2026, specifically leveraging vishing attacks impersonating IT help desk personnel in combination with phishing login sites to steal credentials," researchers Lee Clark, Matt Brady, and Cuong Dinh from Palo Alto Networks Unit 42 and Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) noted. The organizations assessed with moderate confidence that the attackers behind CL-CRI-1116 are also most likely associated with The Com.

The Attack Methodology

The intrusions primarily rely on living-off-the--land (LotL) techniques and utilize residential proxies to conceal their geographic location and bypass basic IP-based reputation filters. This approach makes traditional security controls less effective against these determined adversaries.

The attack sequence is particularly concerning for its speed and efficiency:

1. Initial Compromise: Attackers use vishing to impersonate IT staff and direct victims to malicious SSO-themed AiTM pages
2. Credential Theft: Authentication data is captured through these phishing pages
3. MFA Bypass: The attackers register a new device to bypass MFA, first removing existing devices
4. Notification Suppression: They configure inbox rules to automatically delete automated email notifications about unauthorized device registration
5. Privilege Escalation: They pivot to targeting high-privileged accounts through social engineering by scraping internal employee directories
6. Lateral Movement: With elevated access, they break into target SaaS environments
7. Data Exfiltration: They search for high-value files and business-critical reports in Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, then exfiltrate data to infrastructure under their control

"In most observed cases, these credentials grant access to the organization's identity provider (IdP), providing a single point of entry into multiple SaaS applications," CrowdStrike explained. "By abusing the trust relationship between the IdP and connected services, the adversaries bypass the need to compromise individual SaaS apps and instead move laterally across the victim's entire SaaS ecosystem with a single authenticated session."

The Speed Factor

One particularly alarming aspect of these attacks is their speed. Researchers have observed that Snarky Spider begins exfiltration in under an hour from initial compromise. This rapid progression gives organizations very little time to detect and respond to the intrusion before sensitive data is stolen and potentially leaked or held for ransom.

Defending Against These Attacks

Given the sophistication and speed of these attacks, organizations need to implement multi-layered security strategies:

1. Enhanced Identity Verification: Implement additional verification steps for IT support requests, especially those involving changes to authentication settings
2. SSO Security Hardening: Regularly review and tighten SSO configurations, including implementing conditional access policies
3. Email Security: Configure advanced email filtering to detect and block malicious links and implement rules that prevent automatic deletion of security notifications
4. Device Management: Implement strict device registration policies and require additional verification for new device registrations
5. User Training: Conduct regular security awareness training focused on recognizing vishing attempts and the importance of verifying IT staff identities
6. Monitoring: Implement enhanced monitoring for SaaS environments, particularly focusing on unusual authentication patterns and rapid data access
7. Network Segmentation: Segment access to critical SaaS applications to limit lateral movement potential

Broader Implications

The emergence of these highly specialized groups targeting SaaS environments represents a significant evolution in cybercrime tactics. By focusing exclusively on SaaS environments and abusing trust relationships between identity providers and applications, these groups can achieve maximum impact with minimal effort.

"The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders," CrowdStrike noted. This observation underscores the need for organizations to rethink their security strategies in an increasingly cloud-centric world.

As these groups continue to refine their techniques, security professionals must adapt their defenses to address these evolving threats. The rapid exfiltration capabilities observed in these attacks highlight the critical importance of early detection and response in protecting sensitive business data.

For organizations seeking to understand more about these threats, CrowdStrike's Counter Adversary Operations report and Mandiant's January 2026 analysis provide additional insights into the tactics, techniques, and procedures employed by these sophisticated cybercrime groups.