Researchers warn that two cybercrime clusters, Cordial Spider and Snarky Spider, carry out rapid, high-impact data-theft and extortion campaigns that operate almost entirely within trusted SaaS environments while leaving minimal forensic traces. Using vishing to funnel victims to SSO-themed adversary-in-the-middle pages, they capture credentials and MFA codes, register new devices, suppress alert emails, and pivot via compromised identity providers to exfiltrate high-value data from Google Workspace, HubSpot, SharePoint, and Salesforce. #CordialSpider #SnarkySpider
Keypoints
- Two clusters, Cordial Spider and Snarky Spider, perform fast, high-impact attacks focused on SaaS environments.
- Actors use vishing and SSO-themed AiTM phishing to steal credentials and MFA codes.
- Threats register new devices, remove existing ones, and configure inbox rules to hide alerts and maintain access.
- Compromised identity providers enable lateral movement across Google Workspace, HubSpot, SharePoint, and Salesforce.
- Attackers employ living-off-the-land techniques, residential proxies, and links to The Com and ShinyHunters-style extortion methods.
Read More: https://thehackernews.com/2026/05/cybercrime-groups-using-vishing-and-sso.html