An uncovered two sophisticated threat actors, CORDIAL SPIDER and SNARKY SPIDER, executing high-speed, SaaS-focused intrusion campaigns that exploit voice phishing, adversary-in-the-middle (AiTM) techniques, and identity provider abuse to exfiltrate sensitive data within hours of initial compromise.
Since October 2025, the Threat Intelligence team has tracked a significant evolution in intrusion tradecraft. Rather than deploying malware or exploiting software vulnerabilities, these adversaries operate almost exclusively within trusted SaaS environments.
Such as SharePoint, HubSpot, Google Workspace, and more, leaving minimal forensic traces while accelerating from initial access to mass data exfiltration at unprecedented speed.
How AiTM Phishing Grants Instant SaaS Access
Both adversaries initiate attacks through vishing, voice phishing calls, where operators impersonate IT support personnel, fabricating urgency around account issues or security updates.
Victims are directed to fraudulent SSO-themed login portals using convincing domain patterns such as <companyname>sso[.]com, my<companyname>[.]com, and <companyname>id[.]com.
These AiTM proxy pages capture authentication credentials and active session tokens in real time while simultaneously relaying the login to the legitimate service, meaning the victim experiences a completely normal login and remains unaware of the compromise.
Critically, the stolen session grants access to the organization’s identity provider (IdP), which serves as a single point of entry to all connected SaaS applications, eliminating the need to compromise individual platforms one by one.
MFA Manipulation
After achieving initial access, both adversaries register attacker-controlled MFA devices to compromised accounts, establishing durable persistence without repeatedly interacting with the victim’s legitimate authentication factors.
Their device preferences differ, revealing distinct operational fingerprints:
- SNARKY SPIDER almost exclusively enrolls a Genymobile Android emulator (via the open-source scrcpy project), enabling cross-platform Android device operation across Linux, Windows, and macOS
- CORDIAL SPIDER uses a broader mix of mobile devices alongside a Windows Quick Emulator (QEMU) device for MFA registration
In several observed intrusions, the same attacker-controlled MFA device was simultaneously enrolled across multiple compromised accounts, dramatically streamlining persistent access at scale. In other cases, adversary devices were the first MFA factor ever registered for long-standing accounts that had never had MFA configured.
Immediately following MFA enrollment, both adversaries execute aggressive notification suppression to delay victim discovery. Tactics include manually deleting automated security emails that notify users of suspicious device registrations, and creating inbox rules to automatically filter and delete incoming messages containing keywords such as “alert,” “incident,” “MFA,” “unauthorized,” and related security terminology.
SNARKY SPIDER is particularly systematic in this evasion phase, effectively neutralizing the victim’s primary detection signal, their own inbox, before security teams or users can respond.
Targeted Data Discovery
Rather than indiscriminately downloading all accessible data, both adversaries conduct precision keyword searches across SaaS platforms to prioritize high-value content. Observed search terms include “confidential,” “SSN,” “contracts,” and “VPN,” reflecting deliberate targeting of business-critical documents, infrastructure credentials, and sensitive personal information.
This reconnaissance-driven approach accelerates the path from initial access to exfiltration. Telemetry shows SNARKY SPIDER initiating exfiltration within under one hour of the initial compromise, underscoring the operational urgency defenders face.
The attacks exploit not vulnerabilities in the SaaS platforms themselves, but rather customer misconfigurations: the absence of phishing-resistant MFA and overly permissive access controls.
Residential Proxies Masking Malicious Traffic
To evade IP-based detection, CORDIAL SPIDER and SNARKY SPIDER rely heavily on residential proxy networks leveraging IP addresses assigned to real home users rather than data center ranges, making their traffic appear as legitimate residential activity. Identified proxy providers include:
- Mullvad and Oxylabs
- NetNut and 9Proxy
- Infatica and NSOCKS
This infrastructure strategy allows adversaries to blend attack traffic with normal user behavior, defeating traditional anomaly detection systems that rely on IP reputation alone.
Detection
CrowdStrike’s Falcon Shield platform is specifically engineered to address this SaaS-layer detection gap through three core capabilities:
- Deep SaaS Expertise – Platform-specific detection models built around authentication flows, user behavior baselines, and SaaS-native entity configurations for each supported application
- Advanced Anomaly Detection – Statistical and entity-aware models evaluating users, service accounts, OAuth applications, and API tokens in full context, cross-correlated with network artifacts, device telemetry, and zero-trust access signals
- New-Age Network Intelligence – Active identification and classification of anonymization services, residential proxy nodes, and adversarial infrastructure clusters in global reputation systems
It additionally delivers SaaS Security Posture Management (SSPM), continuously monitoring identity configurations and access controls to surface misconfigurations before they can be exploited.
FAQ
1. What is an AiTM phishing attack?
An adversary-in-the-middle (AiTM) attack uses a proxy page to capture both credentials and active session tokens in real time, bypassing MFA by hijacking the authenticated session rather than just the password.
2. How do CORDIAL SPIDER and SNARKY SPIDER differ?
SNARKY SPIDER favors Genymobile Android emulators for MFA enrollment and systematically creates inbox filtering rules, while CORDIAL SPIDER uses a broader range of devices, including QEMU emulators.
3. Why are these SaaS attacks harder to detect than traditional endpoint intrusions?
Attackers operate entirely within legitimate, trusted SaaS applications using valid session tokens, generating no endpoint malware artifacts and blending with normal user activity.
4. What is the most effective defense against these identity-based SaaS attacks?
Deploying phishing-resistant MFA (such as FIDO2/passkeys), implementing strict SaaS access controls, and using a dedicated SaaS detection platform like CrowdStrike Falcon Shield to monitor authentication anomalies and MFA enrollment events.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
