Since October 2025, CrowdStrike observed CORDIAL SPIDER and SNARKY SPIDER conducting fast, SaaS-focused intrusion campaigns that rely on vishing-driven AiTM pages to capture IdP credentials and move directly into SaaS environments. These actors register adversary-controlled MFA devices, suppress security notifications, and rapidly exfiltrate high-value data from platforms like SharePoint and Google Workspace, complicating detection for traditional endpoint defenses. #CORDIAL_SPIDER #SNARKY_SPIDER
Keypoints
- CORDIAL SPIDER and SNARKY SPIDER use voice phishing (vishing) to lure users to SSO-themed adversary-in-the-middle (AiTM) pages that capture credentials and active session tokens.
- Captured credentials often provide access to the organization’s identity provider (IdP), enabling lateral movement across multiple SaaS applications with a single session.
- Adversaries register attacker-controlled MFA devices (e.g., Genymobile Android emulator, QEMU) to maintain persistent access and sometimes remove legitimate MFA devices first.
- SNARKY SPIDER employs inbox rules and automated deletion of security emails to suppress notifications and hide unauthorized MFA enrollments and other post-compromise activity.
- Threat actors perform targeted discovery within SaaS services using search queries for sensitive terms (e.g., “confidential,” “SSN,” “contracts”) to prioritize and exfiltrate valuable data quickly.
- Campaign infrastructure leverages commercial VPNs and residential proxy networks (e.g., Mullvad, Oxylabs, NetNut) to blend malicious traffic with legitimate residential activity and evade IP-based detection.
MITRE Techniques
- [T1566 ] Phishing – Use of voice phishing (vishing) to trick users into visiting malicious login pages and divulging credentials. (‘During vishing calls, CORDIAL SPIDER and SNARKY SPIDER impersonate IT support and create urgency around account issues or security updates to direct employees to fraudulent AiTM pages.’)
- [T1557 ] Adversary-in-the-Middle – Use of SSO-themed AiTM proxy pages to capture authentication data and active session tokens in real time while relaying authentication to the legitimate service. (‘…direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and active session tokens in real time.’)
- [T1078 ] Valid Accounts – Use of harvested credentials and session tokens to access identity providers and SaaS applications as legitimate users. (‘In most observed cases, these credentials grant access to the organization’s identity provider (IdP), providing a single point of entry into multiple SaaS applications.’)
- [T1098 ] Account Manipulation – Registering adversary-controlled multifactor authentication devices to compromised accounts (and sometimes removing existing MFA devices) to retain persistent access. (‘Following initial access, CORDIAL SPIDER and SNARKY SPIDER establish persistence by registering adversary-controlled multifactor authentication (MFA) devices to compromised accounts.’)
- [T1530 ] Exfiltration: Data from Cloud Storage – Rapid aggregation and large-volume downloads from SaaS platforms (SharePoint, HubSpot, Google Workspace) to exfiltrate high-value datasets. (‘The primary objective of both CORDIAL SPIDER and SNARKY SPIDER is large-scale data exfiltration across SaaS platforms, including SharePoint, HubSpot, Google Workspace, and more.’)
Indicators of Compromise
- [Domains ] AiTM phishing domains that mimic corporate SSO portals – examples: sso[.]com, my[.]com (fraudulent login pages used in vishing campaigns).
- [MFA devices ] Adversary-controlled MFA enrollments used for persistence – examples: Genymobile Android emulator (SNARKY SPIDER), QEMU Windows emulator (CORDIAL SPIDER).
- [Anonymization/Proxy Providers ] Infrastructure used to blend malicious activity with legitimate traffic – examples: Mullvad, Oxylabs, and other providers such as NetNut, 9Proxy, Infatica, NSOCKS.
- [Mailbox artifacts ] Inbox rules and deleted security notifications indicating post-compromise cleanup – examples: rules auto-deleting messages containing keywords like “alert” or “MFA”, manual deletion of security-related emails.
- [SaaS platforms ] Targets and locations of data aggregation/exfiltration – examples: SharePoint, Google Workspace (large-volume downloads and targeted searches for sensitive terms like “SSN” and “contracts”).