Recent cybersecurity investigations reveal a shift towards high-speed, software-as-a-service (SaaS) centric attacks by threat actors, bypassing traditional endpoint defenses. Two groups, labeled CORDIAL SPIDER and SNARKY SPIDER, have been actively involved in these data theft operations since October 2025.
Exploitation of SaaS Environments
Operating primarily within trusted SaaS platforms like SharePoint, HubSpot, and Google Workspace, these groups leverage single sign-on (SSO) integrations. This strategy reduces their visibility, complicating detection efforts for enterprise security teams.
Initial Access Through Vishing
The attackers begin their campaigns using voice phishing (vishing) techniques. By posing as IT support, they create a false urgency to lure employees to fake login pages that mimic legitimate corporate portals. Once credentials are entered, attackers capture authentication data and session tokens without victims’ knowledge.
These stolen credentials allow access to the organization’s identity provider, enabling lateral movement across multiple connected SaaS applications. Attackers further secure their foothold by altering multifactor authentication (MFA) settings, often registering their own devices.
Executing Rapid Data Exfiltration
Once access is established, threat actors conduct targeted searches within SaaS platforms for valuable information. SNARKY SPIDER is known to begin data exfiltration within an hour, targeting critical documents and credentials.
To avoid detection, these groups use VPNs and proxy networks to obscure their locations. Providers like Mullvad and NetNut assign residential IP addresses, making malicious traffic appear legitimate. CrowdStrike Falcon Shield employs advanced detection techniques to identify such anonymization efforts and protect against these high-speed threats.
Ensuring robust SaaS security posture management and implementing advanced anomaly detection are crucial for defending against these sophisticated attacks.
