Published on May 2, 2026
Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks
Severity
Medium
Detail
Cybersecurity researchers have identified two cybercrime groups, Cordial Spider and Snarky Spider, conducting rapid and high-impact extortion campaigns by operating almost entirely within SaaS environments. Active since at least October 2025, both groups focus on speed, stealth, and efficiency, leaving minimal forensic traces. Their operations rely heavily on social engineering and abuse of trusted systems, making detection challenging. Snarky Spider is also believed to have links to The Com.
How?
The attack begins with voice phishing (vishing), where attackers impersonate IT help desk personnel and contact targeted employees. Victims are directed to malicious SSO-themed phishing pages (AiTM), where their credentials and MFA codes are captured in real time.
Using the stolen credentials, attackers gain access to the organization’s Identity Provider (IdP), allowing them to enter multiple SaaS applications through a single authenticated session. They then register their own device, remove legitimate ones, and suppress security alerts by creating inbox rules that delete notification emails.
To remain undetected, attackers use residential proxies and rely on living-off-the-land techniques. They escalate privileges by targeting high-level accounts through further social engineering, often using internal directories. Once elevated access is obtained, they move across SaaS platforms like Google Workspace, Microsoft SharePoint, Salesforce, and HubSpot to locate and exfiltrate sensitive data. In many cases, data theft begins within an hour of initial compromise.
Conclusion
This campaign highlights a shift toward identity-based attacks that exploit human trust and SSO systems instead of traditional malware. By operating within legitimate SaaS environments, attackers can bypass conventional security defenses, move laterally with ease, and execute high-speed data theft with minimal visibility. Organizations must strengthen identity security, enforce strict authentication controls, and improve monitoring to defend against these fast and stealthy extortion attacks.
Source
https://thehackernews.com/2026/05/cybercrime-groups-using-vishing-and-sso.html