Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks
Source: The Hacker News
Ravie Lakshmanan – May 01, 2026
Overview
Cybersecurity researchers warn that two cyber‑crime groups are conducting rapid, high‑impact attacks almost entirely within SaaS environments, leaving minimal forensic traces. The campaigns focus on voice‑phishing (vishing) to steal credentials and pivot directly into SSO‑integrated SaaS applications.
Threat Actors
- Cordial Spider (aka BlackFile, CL‑CRI‑1116, O‑UNC‑045, UNC6671)
- Snarky Spider (aka O‑UNC‑025, UNC6661)
Both groups have been active since at least October 2025. Snarky Spider is an English‑speaking crew linked to the e‑crime ecosystem The Com.
“In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO‑themed adversary‑in‑the‑middle (AiTM) pages, where they capture authentication data and pivot directly into SSO‑integrated SaaS applications,”
— CrowdStrike Counter Adversary Operations, Defending Against Cordial Spider and Snarky Spider with Falcon Shield.
Attack Methodology
Vishing and AiTM Phishing
The attackers use vishing calls to impersonate IT help‑desk personnel, directing victims to malicious login pages that mimic SSO portals. Once credentials and MFA codes are captured, the adversaries:
- Register a new device
- Remove existing devices
- Suppress notification emails by creating inbox rules that delete such alerts
SaaS‑Only Operations
“By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS‑only activity creates significant detection and visibility challenges for defenders.”
The groups target high‑value SaaS platforms—Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce—and exfiltrate business‑critical files after gaining privileged access.
Living‑Off‑the‑Land (LotL) Techniques
Palo Alto Networks Unit 42 and the Retail & Hospitality ISAC (RH‑ISAC) attribute the CL‑CRI‑1116 activity to The Com, noting heavy reliance on LotL tools and residential proxies to evade IP‑based reputation filters.
“CL‑CRI‑1116 activity has been actively targeting the retail and hospitality space since February 2026, specifically leveraging vishing attacks impersonating IT help‑desk personnel in combination with phishing login sites to steal credentials,”
— Researchers Lee Clark, Matt Brady, and Cuong Dinh.
Detection & Response
- Mandiant (January 2026) linked the two clusters to extortion‑themed attacks previously seen from the ShinyHunters group.
- ThreatLocker detection example shows how the malicious device registration can be identified.
Timeline Example
Snarky Spider begins exfiltration in under an hour
Additional Quote
“d move laterally across the victim’s entire SaaS ecosystem with a single authenticated session.”
— CrowdStrike