Two cybercrime groups — Cordial Spider (also tracked as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (O-UNC-025, UNC6661) — are running high-speed extortion campaigns against SaaS-dependent organizations by combining voice phishing (vishing) with SSO-based adversary-in-the-middle (AiTM) attacks. CrowdStrike published detailed tracking this week. Because both groups operate almost entirely within trusted SaaS environments, traditional endpoint-based detection is largely ineffective against them.
SaaS Extortion Vishing: What We Know So Far
Cordial Spider has been actively targeting retail and hospitality organizations since at least February 2026. Snarky Spider, a native English-speaking group with documented ties to the Com e-crime ecosystem, shares operational characteristics but employs more aggressive follow-on harassment.
The attack chain is consistent across both groups:
- Vishing call — attackers impersonate IT help desk personnel and call employees directly, directing them to a fake SSO login page.
- AiTM credential capture — the phishing page proxies the real SSO service in real time, capturing session tokens along with credentials and MFA codes as the victim enters them.
- SaaS lateral movement — using captured live sessions, attackers pivot across SSO-integrated applications (email, file storage, CRM, HR systems) without ever touching an endpoint.
- Targeted data collection — both groups run automated searches for terms including "confidential," "SSN," "contracts," and "VPN" across connected SaaS platforms.
- Extortion and escalation — Cordial Spider typically demands seven-figure payments. Snarky Spider has used DDoS attacks and, in documented cases, swatting of victim employees as escalation tactics against organizations that refuse to pay.
According to CrowdStrike's research, both groups minimize their footprint by confining activity to trusted SaaS environments, meaning compromised sessions often blend into legitimate user behavior across the same platforms defenders rely on for productivity.
CyberScoop reported that both groups follow a playbook similar to Scattered Spider — another Com-affiliated group responsible for high-profile SaaS intrusions — and that the pattern is now repeatable and scalable enough to be considered a methodology rather than a one-off campaign.
Why SaaS Extortion Vishing Matters
The critical differentiator here is the attack surface. Traditional network-based defenses — firewalls, endpoint detection, VPN monitoring — provide almost no visibility into SSO session abuse. An attacker holding a valid SSO session is functionally indistinguishable from a legitimate user.
Both groups specifically target organizations with large numbers of frontline, non-technical employees who regularly receive IT-related calls. Retail and hospitality workers are unlikely to verify a caller's identity through a separate channel before following instructions from someone presenting as IT support.
Swatting as an extortion escalation tactic is particularly notable. It crosses into physical safety territory and adds law enforcement complexity: victims must simultaneously manage a cybersecurity incident, a financial extortion demand, and potential emergency services response.
The emergence of two named groups following the same playbook within months of each other confirms that the operational model is being shared and replicated within the Com ecosystem. Defenders should assume additional clusters are in development.
SaaS Extortion Vishing: What You Should Do Now
- Implement a call-verification protocol. Any IT call requesting credential entry or SSO navigation should require the employee to hang up and call back via a known number listed in your internal directory. Publish and train this policy widely before an incident — it will not hold under pressure if employees hear it for the first time during an attack.
- Restrict SSO session reuse and enforce device binding. Where your SSO provider supports it (Okta, Microsoft Entra ID, Google Workspace), bind sessions to registered devices and require re-authentication on new devices or IP ranges outside normal patterns.
- Enable anomalous SSO session alerts. Monitor for logins from unregistered devices, concurrent sessions from geographically distant IP addresses, and bulk SaaS access across multiple applications from a single session. Okta Identity Threat Protection and Microsoft Entra ID Protection both flag these patterns natively.
- Deploy phishing-resistant MFA. Passkeys and FIDO2 hardware keys cannot be captured by AiTM proxies — the cryptographic challenge-response is bound to the origin domain. Replace TOTP and SMS MFA for all staff with access to sensitive SaaS data.
- Brief your help desk explicitly. Social engineering often targets help desk staff as the first step. Train staff to never reset credentials or approve MFA enrollment via phone alone — require a secondary verification method tied to a verified ticket or physical presence.
Detection and Verification Checklist
- Review SSO audit logs for bulk access to data repositories using search terms such as "confidential," "SSN," or "VPN" within a single session window.
- Check for concurrent active sessions across geographically distant IPs for the same account.
- Cross-reference employee reports of unexpected IT calls — two or more reports in a short window may indicate an active campaign.
- Confirm your SSO provider's suspicious activity alerts are enabled and routing to your SIEM, not just to admin email inboxes.
- Verify that SSO-integrated SaaS applications (Google Workspace, Microsoft 365, Salesforce, ServiceNow) log individual API access events — not just login events — so post-incident investigation is possible.
— Sources: The Hacker News, CrowdStrike, CyberScoop
For any query contact us at contact@cipherssecurity.com
