Cybercrime Groups Cordial Spider and Snarky Spider: Moving at SaaS-Speed to Extort Organizations

Cybersecurity researchers have issued a warning regarding two high-velocity cybercrime groups, Cordial Spider and Snarky Spider, which are executing rapid, high-impact extortion attacks. By operating almost exclusively within the confines of SaaS environments, these actors minimize their forensic footprint while maximizing speed. These groups leverage voice phishing (vishing) and session hijacking to bypass modern security controls, with some attacks beginning data exfiltration in less than an hour from the initial breach.

TL;DR

Two formidable cybercrime clusters, Cordial Spider and Snarky Spider, are targeting SSO-integrated SaaS applications using vishing and Adversary-in-the-Middle (AiTM) tactics. These actors are known for their extreme speed—sometimes stealing data within 60 minutes—and their ability to hide by manipulating inbox rules and using residential proxies. To defend against them, Moroccan organizations must prioritize phishing-resistant MFA and monitor for unauthorized device registrations within their Identity Providers (IdPs).

---

The Evolution of Modern Extortion: Rapid and Precise

Since at least October 2025, security researchers from CrowdStrike, Mandiant, and Palo Alto Networks Unit 42 have been tracking two distinct but highly similar threat clusters: Cordial Spider (also known as BlackFile or CL-CRI-1116) and Snarky Spider (also known as UNC6661).

While many traditional attacks involve complex malware and long periods of lateral movement within an internal network, these groups operate differently. They focus on the "cloud layer," specifically targeting SaaS (Software as a Service) platforms like Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce.

By staying within these trusted environments, the attackers create a "visibility challenge" for defenders. For many Moroccan companies that have shifted to remote work and cloud-first infrastructures, this means the traditional network perimeter provides little to no protection against these specific threats.

Initial Access: The Power of Vishing and AiTM

The attack usually begins with vishing (voice phishing). The attackers, particularly Snarky Spider (noted as a native English-speaking crew), impersonate IT help desk personnel. They call employees and trick them into visiting malicious, SSO-themed Adversary-in-the-Middle (AiTM) pages.

Technical Note: An AiTM attack is a form of session hijacking where the attacker inserts themselves between the user and the real login service. When the user enters their credentials and MFA code on the fake page, the attacker captures them in real-time and passes them to the actual service, effectively "stealing" the active session.

Because the attackers capture the authentication data live, they can pivot directly into SSO-integrated SaaS applications. Once they have access to the IdP (Identity Provider)—the central hub that manages logins for all company apps—they have a "single point of entry" to move laterally across the entire organization’s cloud ecosystem.

Suppression Tactics and Persistence

To stay hidden, these groups employ several sophisticated "Living-off-the-Land" (LotL) techniques:

1. MFA Bypass via Device Registration: After gaining access, the actors often remove existing authorized devices and register their own. This ensures they maintain access even if a passowrd is changed.
2. Notification Suppression: To prevent the victim from receiving "A new device has been registered" alerts, the attackers immediately configure inbox rules to automatically delete security notifications from the IT department or the IdP.
3. Bypassing IP Filters: Researchers from Unit 42 and RH-ISAC noted that CL-CRI-1116 uses residential proxies. These allow the attackers to use IP addresses that appear to belong to home internet users rather than known data centers, effectively bypassing IP-based reputation filters that would otherwise block suspicious traffic.

From Access to Exfiltration in 60 Minutes

The speed of these attacks is a primary concern for security practitioners. According to reports, Snarky Spider can begin exfiltrating sensitive data—such as high-value business reports and employee directories—in under one hour from the moment of initial compromise.

The groups also demonstrate tactical consistency with the ShinyHunters group, and are assessed with moderate confidence to be part of the broader e-crime ecosystem known as "The Com." Their primary objective is extortion: finding high-value files within tools like Salesforce or HubSpot and using them to demand payment.

How Moroccan IT Teams Can Defend

Given that these actors specifically target the retail and hospitality sectors (as seen in activity since February 2026), Moroccan enterprises in these and other sectors should Audit their SaaS security posture immediately.

• Implement Phishing-Resistant MFA: Move away from SMS or push-based MFA, which can be easily captured via AiTM sites. Implement hardware security keys (like Yubikeys) or FIDO2-compliant authentication.
• Audit Inbox Rules: Regularly scan for unauthorized email forwarding or auto-deletion rules, especially those targeting security alerts.
• Monitor Identity Providers (IdP): Set up alerts for any new device registration or changes to highly privileged accounts.
• Restrict Employee Directories: Limit the ability of standard users to scrape or export internal employee directories, as attackers use this information for further social engineering.
• SaaS Log Monitoring: Monitor for anomalous data downloads or access patterns in Google Workspace, Salesforce, and HubSpot.

Conclusion

Cordial Spider and Snarky Spider represent a shift toward high-speed, SaaS-centric extortion. Their ability to bypass MFA through vishing and maintain stealth by manipulating internal mail settings makes them a difficult target for traditional security tools. For Moroccan sysadmins and developers, the focus must shift from securing the network perimeter to securing the identity and the SaaS applications themselves.

Source: Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks