Cybercrime Groups Use Vishing and SSO Abuses in Rapid SaaS Extortion Attacks
Cybersecurity researchers warn of two cybercrime groups conducting “quick, high-impact attacks” that operate almost entirely within SaaS environments, while leaving little traces of their actions.
Collections, The Cordial Spider (aka BlackFile, CL-CRI-1116, UNC-045, and UNC6671) and The Snarky Spider (also known as O-UNC-025 and UNC6661), have been said to have created high-speed data theft and extortion campaigns that share a remarkable degree of operational similarity. Both hacking groups are expected to be active from at least October 2025, and the latest English-speaking group shares ties with the e-crime ecosystem known as The Com.
“In many cases, these adversaries use phishing (phishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and directly deny SSO-integrated SaaS applications,” said CrowdStrike’s Counter Adversary Operations report.
“By operating virtually within trusted SaaS environments, they reduce their footprint while accelerating time to impact. The combination of speed, accuracy, and SaaS-only functionality creates significant discovery and visibility challenges for defenders.”
In a report published back in January 2026, Google-owned Mandiant revealed that the two clusters represent an increase in threat activity that uses tactics similar to phishing attacks carried out by the ShinyHunters group. This includes impersonating IT staff on calls to trick victims into obtaining their credentials and multi-factor authentication (MFA) codes by directing them to phishing pages.
 |
| Snarky Spider begins to sink in less than an hour |
As recently as last week, the Palo Alto Networks Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) tested with moderate confidence that the attackers following CL-CRI-1116 are also likely to be associated with The Com, and added that the intervention is highly dependent on living outside the country to use their residential strategies and the use of residential areas. bypass basic IP-based filters.
“CL-CRI-1116 activity has been concentrated in the retail and hospitality environment since February 2026, mainly vishing attacks impersonating IT help desk workers combined with phishing login sites,” said researchers Lee Clark, Matt Brady, and Cuong Dinh.
Attacks deployed by these two groups are known to register a new device to bypass MFA and maintain access to the vulnerability — but not before removing existing devices — following which threat actors move to suppress automatic email notifications related to unauthorized device registration by setting up inbox rules that automatically delete such messages.
The next phase involves turning to targeting high-privilege accounts through continued social engineering by deleting internal employee directories. Once they regain elevated access, adversaries break into target SaaS environments to view high-value files and business-critical reports in Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, and extract sensitive data from the infrastructure they control.
“In most cases observed, these tokens provide access to an organization’s identity provider (IdP), which provides a single point of entry to multiple SaaS applications,” CrowdStrike said. “By abusing the trust relationship between the IdP and connected services, adversaries ignore the need to compromise individual SaaS applications and instead migrate across the victim’s entire SaaS ecosystem with a single authenticated session.”
