Two cybercrime groups, Cordial Spider and Snarky Spider, are drawing attention from cybersecurity experts for their accelerated and high-impact attacks within Software-as-a-Service (SaaS) environments. Operating almost invisibly, these groups have been active since at least October 2025, with Snarky Spider linked to the well-known e-crime ecosystem, The Com. Their activities involve rapid data theft and extortion, marked by a striking similarity in their operational methods.
Vishing and SSO Exploitation
Using voice phishing, or ‘vishing’, these groups trick targeted users into navigating to malicious pages designed to resemble Single Sign-On (SSO) systems. This tactic allows them to capture authentication credentials and infiltrate SSO-integrated SaaS platforms. According to a CrowdStrike report, the groups’ reliance on trusted SaaS environments significantly reduces their operational footprint, creating significant challenges for detection and defense.
Mandiant’s January 2026 report highlights the expansion of such threat activities, linking them to tactics used by the ShinyHunters group. These include impersonating IT staff to deceive victims into divulging credentials and multi-factor authentication (MFA) codes, leveraging phishing pages to accomplish this.
Techniques and Targets
Recent assessments by Palo Alto Networks Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) suggest that Cordial Spider has been targeting the retail and hospitality sectors since February 2026. They employ living-off-the-land (LotL) tactics and residential proxies to obscure their locations and evade basic security measures.
These groups often register new devices to bypass MFA protections, remove previous devices, and suppress email notifications regarding unauthorized device registrations. They achieve this by setting inbox rules to automatically delete such messages, thereby maintaining stealth during their operations.
Impact on SaaS Ecosystems
After securing access, attackers focus on high-privileged accounts through further social engineering, exploiting internal employee directories. This access allows them to infiltrate SaaS environments such as Google Workspace, Microsoft SharePoint, HubSpot, and Salesforce, seeking valuable files and reports. They then exfiltrate sensitive data to their controlled infrastructure.
As noted by CrowdStrike, the stolen credentials often provide access to an organization’s identity provider (IdP), enabling attackers to move laterally across multiple SaaS applications with a single authenticated session. This exploitation of trust relationships between IdPs and connected services eliminates the need to compromise individual SaaS apps, enhancing the efficiency and impact of these cyber threats.
Understanding and mitigating these sophisticated tactics are crucial for organizations to protect their SaaS ecosystems from such aggressive cybercrime activities.
