Vishing and SSO Exploitation: How Two Cybercrime Groups Are Targeting SaaS Environments with Lightning-Fast Attacks

Introduction

Cybersecurity researchers have raised alarms about a new wave of rapid, high-impact attacks originating from two distinct cybercrime clusters. These groups, operating almost entirely within Software-as-a-Service (SaaS) ecosystems, are leveraging vishing (voice phishing) and Single Sign-On (SSO) abuse to steal sensitive data with remarkable speed while leaving minimal forensic traces. This article examines the tactics of these groups and offers insights into how organizations can defend against such emerging threats.

The Threat Clusters: Cordial Spider and Snarky Spider

The two groups, tracked under multiple aliases, are known as Cordial Spider (also called BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (also referred to as O-UNC-025 and UNC6661). Both have been linked to high-speed data theft campaigns that rely on social engineering and identity abuse rather than traditional malware.

Cordial Spider

Cordial Spider specializes in vishing campaigns where attackers impersonate trusted IT or support staff to trick employees into revealing credentials, especially for SSO portals. They often target organizations using popular SaaS platforms like Microsoft 365, Google Workspace, and Salesforce. Once inside, they quickly exfiltrate large volumes of data using native cloud tools, reducing the chance of detection.

Snarky Spider

Snarky Spider focuses on abusing SSO authentication by exploiting misconfigurations or weak session management. They may steal session tokens or use phishing to capture credentials, then move laterally across the SaaS environment to locate valuable data. Their attacks are characterized by their speed: the entire cycle from initial access to exfiltration can occur in under an hour.

Attack Methodology: Speed and Stealth

Both groups share a common approach: they aim to complete their objectives within a single session or a very short timeframe, leaving little time for security teams to react. Key elements include:

• Vishing: Attackers call employees posing as help desk personnel, convincing them to share credentials or approve multi-factor authentication (MFA) requests, a technique known as MFA fatigue. Once they have access, they use it to log into the SaaS environment and steal data.
• SSO Abuse: By compromising a single set of credentials, attackers can leverage SSO to access multiple interconnected applications without raising suspicion. They may also forge or steal authentication tokens to bypass MFA entirely.
• Minimal Footprint: These groups avoid installing malware or making system changes. Instead, they use legitimate cloud APIs and scripts to extract data, making their activities appear as normal administrative actions.

The attacks are often tailored to the victim's SaaS environment, with researchers noting that the groups have deep knowledge of cloud security gaps, such as overly permissive SSO policies or unused service accounts.

Impact on Businesses

The rapid nature of these attacks means that even well-prepared organizations can suffer significant data loss before detection. Because the groups operate within the SaaS trust boundaries, traditional security tools like firewalls and endpoint detection may not flag the activity. Common consequences include:

• Exposure of confidential client data, intellectual property, or financial information.
• Regulatory fines and legal liabilities, especially in sectors like healthcare or finance.
• Damage to brand reputation and customer trust.
• Operational disruption while the environment is audited and cleaned.

In many cases, the attackers use the stolen data for extortion, threatening to leak it publicly unless a ransom is paid.

Defensive Strategies

To counter threats from Cordial Spider, Snarky Spider, and similar groups, organizations should adopt a multi-layered defense focused on identity and access management:

1. Strengthen SSO Policies: Implement strict access controls, enforce least-privilege permissions, and regularly audit SSO configurations. Disable unused SSO connections and monitor for anomalous token usage.
2. Educate Employees on Vishing: Conduct training to help staff recognize social engineering tactics. Encourage verification of unsolicited calls via a known internal number.
3. Adopt Risk-Based Authentication: Use adaptive MFA that triggers additional verification based on location, device, or behavior, rather than relying solely on static rules.
4. Monitor Cloud Activity in Real Time: Deploy tools that analyze SaaS logs for unusual patterns, such as rapid data exports from multiple accounts or access from unfamiliar IP addresses.
5. Incident Response Drills: Practice fast containment procedures, such as disabling compromised accounts or revoking session tokens, to reduce the window of opportunity for attackers.

These groups highlight a growing trend in cybercrime: the shift from network-based attacks to identity-driven breaches. By focusing on how users authenticate, rather than on exploiting traditional vulnerabilities, they achieve high success rates with lower operational overhead.

Conclusion

The emergence of Cordial Spider and Snarky Spider underscores the need for organizations to rethink their SaaS security posture. As these groups demonstrate, speed and stealth are the new hallmarks of data theft. By combining vishing with SSO abuse, they can bypass many existing defenses. A proactive, identity-centric approach is essential to stay ahead of such rapidly evolving threats.