Rise of SaaS-Focused Cyber Extortion: Vishing and SSO Attacks by Cordial and Snarky Spiders

Introduction

Cybersecurity researchers have identified two sophisticated cybercrime groups—Cordial Spider (also tracked as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661)—that are executing rapid, high-impact extortion attacks within Software-as-a-Service (SaaS) environments. These groups exploit vishing (voice phishing) and Single Sign-On (SSO) abuse to steal data and demand ransoms, all while leaving minimal forensic traces. This article explores their tactics, the vulnerabilities they target, and the challenges organizations face in detecting and mitigating such threats.

The Threat Actors: Cordial Spider and Snarky Spider

Both clusters operate with a focus on speed and stealth. Cordial Spider is known for leveraging commercially available phishing kits and social engineering to gain initial access, often targeting help desk personnel. Snarky Spider, meanwhile, specializes in abusing SSO trust relationships to move laterally across SaaS platforms. Their end goal is the same: exfiltrate sensitive data and extort victims under threat of public disclosure.

Cordial Spider (BlackFile)

• Focus: Vishing campaigns targeting employees to reveal credentials or approve multi-factor authentication (MFA) pushes.
• Tactics: Impersonating IT support, using caller ID spoofing, and deploying token theft after MFA bypass.
• Targets: Organizations relying on SaaS platforms like Microsoft 365, Google Workspace, and Salesforce.

Snarky Spider (O-UNC-025)

• Focus: SSO trust exploitation, often compromising identity providers (IdPs) or federation services.
• Tactics: Harvesting session tokens, forging SAML assertions, and abusing OAuth grants to gain persistent access.
• Targets: Enterprises with complex SSO configurations and insufficient monitoring of trust flows.

Attack Methodology: Vishing and SSO Abuse

The attacks unfold in three rapid stages: initial access, lateral movement, and data exfiltration.

Stage 1: Initial Access via Vishing

Cordial Spider initiates contact by phone, pretending to be a vendor or internal IT. They use social engineering to trick the victim into revealing credentials or approving a fraudulent MFA prompt. "Hello, this is Jane from the help desk. We're resetting your account due to a security update—please verify your one-time code." This voice-based phishing bypasses email filters and often catches victims off guard.

Stage 2: Lateral Movement and SSO Abuse

Once inside, Snarky Spider takes over. By compromising the SSO infrastructure (e.g., an IdP like Azure AD or Okta), they create hidden service principals or modify federation trusts. This allows them to impersonate any user or application within the SaaS ecosystem. They also harvest session cookies and refresh tokens to maintain access even after password resets.

Stage 3: High-Speed Data Theft and Extortion

Data exfiltration occurs within hours, not days. The attackers use native SaaS APIs to download gigabytes of data—emails, files, CRM records—without triggering traditional data loss prevention (DLP) alerts. They then demand a ransom, often in cryptocurrency, and threaten to leak the data if not paid.

Impact and Detection Challenges

The speed and stealth of these attacks make them particularly dangerous. Traditional security tools that rely on signature-based detection or anomalous file transfers often fail because the attackers blend in with legitimate administrative activity. For example, an SSO token modification may appear as a routine policy update. Vishing calls leave no digital trace, making incident response difficult.

Moreover, the extortion pressure is magnified by the sensitive nature of SaaS data—customer lists, financial records, intellectual property. A single breach can lead to regulatory fines, reputational damage, and operational disruption.

Recommended Defenses

Organizations can reduce their risk by adopting a layered approach:

1. Strengthen MFA Policies: Use number matching or biometric verification to foil vishing-driven MFA fatigue attacks.
2. Monitor SSO Trusts: Audit IdP configurations, federation metadata, and OAuth grants for unauthorized changes.
3. Implement User Behavior Analytics (UBA): Detect unusual patterns like bulk API calls from a new device or rapid privilege escalation.
4. Train Staff on Vishing: Conduct regular simulations where employees are asked to verify callers through a separate channel.
5. Enable Breach and Attack Simulation (BAS): Continuously test defenses against tactics used by Cordial Spider and Snarky Spider.

Conclusion

The rapid, SaaS-contained extortion attacks by Cordial Spider and Snarky Spider highlight a growing trend: cybercriminals moving from network-level breaches to cloud-native exploitation. By combining vishing with SSO abuse, they achieve high impact with low detectability. Organizations must adapt their security strategies to monitor SaaS-specific threats, enforce strict identity controls, and educate users about the evolving voice-phishing landscape. Staying ahead of these groups requires not just technology, but a proactive culture of vigilance.