Cordial Spider, Snarky Spider Use Vishing and SSO Phishing to Breach SaaS

Two emerging cybercriminal groups Cordial Spider and Snarky Spider—are exploiting SaaS platforms to conduct large-scale data theft and extortion campaigns.

By abusing trusted cloud environments, these attackers are bypassing traditional defenses and targeting enterprise identities at scale.

For security leaders, this signals a critical shift: the cloud is no longer just infrastructure—it’s the new attack surface.

What Happened

According to Mandiant, both groups are linked to a broader cybercriminal ecosystem known as The Com.

Active since October 2025
Primary attack vector: Vishing (voice phishing)
Attackers impersonate IT support to trick users
Victims are directed to fake Single Sign-On (SSO) portals
Credentials are harvested and used to access SaaS environments
Stolen data is exfiltrated and leveraged for extortion

Attackers also use SaaS platforms themselves as infrastructure, blending malicious activity with legitimate traffic.

Why This Matters

This campaign reflects a major shift in cyber threats:

1. Identity Is the New Perimeter

Attackers no longer need to breach networks—they simply log in using stolen credentials.

2. SaaS Platforms Are Being Weaponized

Cloud services are used for:

Command-and-control operations
Data staging and exfiltration
Obfuscating malicious activity

3. Social Engineering Is Driving Access

Vishing attacks bypass technical defenses by exploiting human trust.

This aligns with broader trends:

Rise of identity-based attacks
Growth of SaaS attack surfaces
Increasing use of legitimate platforms for malicious operations

Impact on Buyers

This impacts enterprise buyers in three key ways:

Risk Exposure

Unauthorized access to critical SaaS applications
Large-scale data theft and extortion risk
Increased exposure due to credential compromise

Operational Pressure

Need for stronger identity verification and monitoring
Increased focus on user behavior analytics
Greater complexity in detecting cloud-based threats

Budget Implication

Increased investment in:
- Identity and Access Management (IAM)
- Multi-Factor Authentication (MFA)
- Identity Threat Detection & Response (ITDR)
- SaaS security and monitoring tools

Demand Signal (Pipeline Trigger)

This signals increased demand for:

Identity Threat Detection & Response (ITDR)
SaaS Security Posture Management (SSPM)
Privileged Access Management (PAM)
Zero Trust Security Solutions
Security Awareness & Anti-Phishing Training

Vendors that secure identity + SaaS ecosystems will see accelerated demand.

What Security Leaders Should Do

Immediate Actions

Enforce MFA across all SaaS applications
Educate employees on vishing and social engineering tactics
Monitor login anomalies and suspicious access patterns

Strategic Adjustments

Implement Zero Trust access controls
Strengthen identity verification processes
Deploy SaaS activity monitoring and analytics

Long-Term Investments

Adopt identity-first security architecture
Integrate IAM with threat detection systems
Invest in continuous user behavior monitoring

Who Should Care

CISOs
Cloud Security Leaders
Identity & Access Management Teams
IT & Risk Management Leaders

Related Trends

Identity-based cyberattacks
SaaS security risks
Zero Trust adoption
Social engineering evolution

Data Callout

Research indicates that over 80% of breaches involve compromised credentials, making identity security the top priority.

CyberTech Intelligence POV

At CyberTech Intelligence, this trend confirms a fundamental shift:

The battle is no longer for networks—it’s for identities.

As SaaS adoption grows, attackers are exploiting trust, credentials, and human behavior to gain access. Demand is now driven by identity visibility and control, not just perimeter defense.

Organizations that recognize this shift early will transform risk into proactive investment—and pipeline growth.

Understand how SaaS-based attacks impact your security strategy and pipeline.

Get your Demand Activation Blueprint

Source : cybersecurity-insiders.com

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com

🔒 Login or Register to continue reading

CyberTech Media Room

CyberTech Media Room is the editorial intelligence arm of CyberTech Insights, focused on delivering high-impact narratives at the intersection of cybersecurity, data infrastructure, AI systems, and enterprise risk. Built for decision-makers, analysts, and technology leaders, the CyberTech Media Room translates complex security developments into structured, actionable intelligence. Its coverage spans threat landscapes, regulatory shifts, cyber resilience frameworks, and emerging technologies shaping modern enterprise defense. The editorial approach is grounded in three principles: Signal over noise — prioritizing relevance, depth, and strategic clarity over volume Intelligence-led storytelling — combining data, expert perspectives, and market context Decision utility — ensuring every piece contributes to informed business or technology outcomes CyberTech Media Room collaborates with industry practitioners, researchers, and enterprise leaders to surface insights that matter—from boardroom-level risk considerations to operational security strategies. Positioned beyond traditional media, it operates as a strategic intelligence layer for organizations navigating an increasingly complex and adversarial digital environment.

Share With

What Happened
Why This Matters
Impact on Buyers
Demand Signal (Pipeline Trigger)
What Security Leaders Should Do
Who Should Care
Related Trends
Data Callout
CyberTech Intelligence POV

CyberTech Intelligence

Connect with Us

Cordial Spider, Snarky Spider Use Vishing and SSO Phishing to Breach SaaS

What Happened