Cybercrime groups Cordial Spider and Snarky Spider are executing rapid, high-impact extortion attacks within SaaS environments, leveraging voice phishing (vishing) and single sign-on (SSO) abuse to bypass traditional defenses. As detailed by CrowdStrike, these actors—active since at least October 2025—impersonate IT staff to trick users into visiting adversary-in-the-middle (AiTM) phishing pages, capturing credentials and multi-factor authentication (MFA) codes. Their ability to pivot into SSO-integrated SaaS platforms like Google Workspace, Microsoft SharePoint, and Salesforce within hours of initial access (often under 60 minutes for Snarky Spider) underscores a critical vulnerability in cloud ecosystems: the over-reliance on trust relationships between identity providers (IdPs) and connected services.

What the original coverage misses is the deeper connection to systemic supply chain risks. These attacks are not isolated; they mirror patterns seen in earlier campaigns like the 2020 SolarWinds breach, where trusted software environments were weaponized for lateral movement. SaaS platforms, often seen as secure by default, are becoming the new attack surface due to their interconnected nature and the cascading access granted through SSO. The use of living-off-the-land (LotL) techniques and residential proxies by these groups further complicates detection, as they blend into legitimate traffic—a tactic reminiscent of state-sponsored actors like APT29 (Cozy Bear) during the 2016 DNC hacks. This convergence of e-crime and advanced persistent threat (APT) methodologies suggests a blurring line between financially motivated and geopolitical cyber operations.

Moreover, the focus on retail and hospitality by Cordial Spider (aka CL-CRI-1116), as noted by Palo Alto Networks Unit 42, highlights a strategic targeting of sectors with high data turnover and often weaker cybersecurity postures. These industries are linchpins in broader supply chains, meaning breaches here can ripple outward, compromising vendors, customers, and partners. The original story underplays this downstream risk, failing to connect how stolen data—often business-critical reports—can be weaponized for secondary attacks or sold in forums like The Com, a known e-crime ecosystem tied to both groups.

Current defenses are lagging. While MFA and device registration are bypassed via social engineering, the root issue lies in inadequate authentication frameworks for cloud services. Organizations must adopt zero-trust architectures and context-aware access controls to disrupt attackers’ ability to exploit trusted sessions. The rapid exfiltration timelines also demand real-time anomaly detection within SaaS environments, a capability most enterprises lack. Without addressing these gaps, the SaaS ecosystem remains a soft target for extortion campaigns that can scale across industries with alarming speed.