Cordial Spider and Snarky Spider: Rapid SaaS Extortion via Vishing

Overview of Rapid SaaS Extortion Campaigns

Security researchers have identified two distinct threat clusters, Cordial Spider (also known as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (also known as O-UNC-025 and UNC6661), that are executing high-impact data theft operations. These groups specialize in operating almost entirely within the confines of SaaS environments, according to The Hacker News. By leveraging human-centric vulnerabilities and identity provider misconfigurations, these actors bypass traditional network perimeters with alarming speed and efficiency.

The shift toward SaaS-native attacks represents a significant evolution in the APT and cybercrime landscape. Unlike traditional Ransomware operations that rely on encrypting local file systems, these clusters focus on rapid data exfiltration followed by extortion, leaving a minimal footprint that often evades standard EDR solutions.

Technical Analysis: Vishing and SSO Exploitation

The primary entry point for these attacks is Phishing, specifically voice-based phishing (vishing). Attackers contact employees—often targeting IT help desk staff or high-privilege users—and use social engineering to obtain credentials or trick the user into approving a multi-factor authentication (MFA) prompt. While no specific CVE or CVSS score is typically associated with these social engineering lures, the impact is equivalent to a high-severity vulnerability.

Once initial credentials are secured, the actors focus on Single Sign-On (SSO) abuse. By gaining control over an SSO session, they can achieve Lateral Movement across a wide array of integrated SaaS applications without needing further authentication for each tool. This TTP allows the groups to maintain a low profile while accessing sensitive data stored in document management systems, communication platforms, and cloud-hosted databases.

Cordial Spider Data Theft Methods

Cordial Spider has demonstrated a refined approach to automated data harvesting. Their Cordial Spider data theft methods involve using legitimate administrative tools and cloud-native APIs to export massive volumes of data in short windows. Because this activity occurs within the service provider’s infrastructure, it rarely triggers SIEM alerts configured only for on-premises traffic. Furthermore, the speed of these SaaS environment extortion tactics often means that by the time the SOC detects a login anomaly, the data has already been exfiltrated to the attackers’ C2 infrastructure.

How to Detect Vishing and SSO Abuse in Enterprise Environments

Detection requires a shift from host-based monitoring to identity-centric auditing. Defenders should prioritize the following telemetry to identify active exploitation:

• Geographic and IP Inconsistencies: Monitor SSO logs for logins originating from unexpected locations or known VPN exit nodes that do not match the user’s typical profile.
• MFA Fatigue Detection: Flag accounts that have multiple denied MFA requests followed by a successful login, which often indicates an attacker successfully wore down a user.
• Bulk Data Export Patterns: Create alerts for unusual API calls or high-volume downloads from platforms like SharePoint, Salesforce, or Google Workspace.

Effective mitigation necessitates a Zero Trust architecture where identity is verified continuously. Organizations should transition away from SMS or push-based MFA toward FIDO2-compliant hardware tokens to neutralize vishing threats. Additionally, implementing Privilege Escalation monitoring within SaaS platforms can help identify when an attacker is attempting to broaden their reach after the initial compromise. Mapping these activities against the MITRE ATT&CK framework can provide the necessary context to refine detection rules for these specific threat clusters.