Vishing, SSO Phishing Let Groups Rapidly Extort SaaS Firms

Two cybercrime clusters, tracked as Cordial Spider and Snarky Spider, have been using phone-based social engineering and single-sign-on (SSO) adversary-in-the-middle phishing to gain access to SaaS environments and quickly steal data. Security teams report the groups have run fast, high-impact campaigns since at least October 2025.

Researchers at CrowdStrike and Mandiant describe a common attack chain. Operators place vishing calls impersonating IT staff to convince employees to enter credentials and one-time MFA codes on SSO-themed phishing pages. Those pages capture authentication data and allow attackers to sign into SSO-integrated applications.

After harvesting credentials, intruders register a new device on the account to bypass multi-factor authentication and remove other registered devices. They often create mailbox rules that delete or hide notifications about new device registrations to suppress automated alerts. With access restored, attackers scrape employee directories to identify administrators and other high-privilege users for further social engineering.

Compromise of an organization’s identity provider (IdP) lets the adversaries use a single authenticated session to move across multiple SaaS apps without breaching each app separately. CrowdStrike noted that operating mostly inside trusted SaaS environments reduces visible traces while shortening the time between compromise and impact.

Mandiant’s reporting linked these techniques to extortion-style campaigns that focus on rapid credential theft and impersonation of IT help desks. Palo Alto Networks Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center assessed activity tied to the CL-CRI-1116 cluster against retail and hospitality targets since February 2026, describing heavy use of living-off-the-land techniques and residential proxies to mask origins and bypass IP-based filters.

Snarky Spider has been assessed as a native English-speaking crew with ties to an e-crime ecosystem known as The Com. Researchers reported that Snarky Spider can begin exfiltrating data in under an hour after initial compromise. Targets are searched for high-value files and business reports across Google Workspace, HubSpot, Microsoft SharePoint and Salesforce, and selected data is copied to infrastructure controlled by the attackers.

Analysts identified multiple aliases for the clusters: Cordial Spider appears as BlackFile, CL-CRI-1116, O-UNC-045 and UNC6671; Snarky Spider is also tracked as O-UNC-025 and UNC6661. The observed campaign pattern includes phone-based credential collection, AiTM SSO phishing, device re-registration, mailbox-rule suppression of alerts, privilege escalation and rapid lateral movement across SaaS services to locate sensitive data.

Reports emphasize that mailbox-rule abuse and IdP exploitation reduce the effectiveness of endpoint and network detection tools that look for traditional on-premises indicators. Security teams recommend that organizations review IdP logs, monitor for unusual device registrations, and validate any help-desk requests made by phone or email against internal verification procedures.

“By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact,” CrowdStrike’s Counter Adversary Operations wrote, adding that the combination of speed and SaaS-only activity creates detection and visibility challenges for defenders.