The Rise of Vishing and SSO Abuse in Cybercrime
In a significant shift in cybercrime, groups are increasingly using voice phishing, or vishing, and Single Sign-On (SSO) abuse to execute rapid SaaS extortion attacks. These developments mark a pivotal change in the tactics employed by cybercriminals, prompting organizations to reconsider their security strategies.
Recent reports have highlighted two cybercrime groups, Cordial Spider and Snarky Spider, which have been linked to these high-speed extortion campaigns. These groups have been active since at least October 2025, with Snarky Spider reportedly consisting of native English speakers connected to the e-crime ecosystem known as The Com. Their operations are largely conducted within trusted SaaS environments, allowing them to minimize detection while maximizing impact.
Operational Tactics of Cordial Spider and Snarky Spider
Cordial Spider and Snarky Spider employ sophisticated methods to infiltrate SaaS environments. Their primary tactic involves using vishing to trick users into visiting malicious, SSO-themed adversary-in-the-middle pages. Here, they capture authentication data, allowing them to pivot directly into SSO-integrated SaaS applications.
This approach is highly effective because it relies on the trust users place in SaaS platforms. By operating within these environments, the attackers create significant challenges for defenders who struggle with visibility and detection. The speed and precision of these attacks further complicate defensive efforts, necessitating a reevaluation of existing security measures.
Expanding Threat Activity and Industry Implications
In January 2026, a report by Google-owned Mandiant revealed an expansion in threat activity that mirrors tactics used by the ShinyHunters group. These tactics involve impersonating IT staff to deceive victims into providing credentials and multi-factor authentication codes. The attackers then direct victims to phishing sites to harvest their information.
Recent assessments by Palo Alto Networks Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) have linked the group behind CL-CRI-1116 to The Com and noted their use of living-off-the-land techniques and residential proxies. These methods help conceal their geographical location and bypass basic IP-based reputation filters, adding another layer of complexity for defenders.
Targeting High-Value Accounts and Data
Once inside a SaaS environment, these cybercriminals target high-privilege accounts and valuable data. They often register a new device to bypass multi-factor authentication, maintain access, and suppress email notifications related to unauthorized activities. This is achieved by configuring inbox rules to delete such notifications automatically.
The attackers then focus on scraping internal employee directories to conduct further social engineering, allowing them to escalate their access. With elevated privileges, they can breach target SaaS environments, searching for and exfiltrating high-value files and business-critical reports from platforms like Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce.
Strategic Recommendations for Organizations
In light of these developments, organizations must update their security measures to address the challenges posed by these advanced tactics. The rapid pace and precision of these attacks mean that traditional security strategies may no longer suffice. Companies should invest in advanced threat detection systems that can identify and respond to suspicious activities in real-time.
Moreover, organizations should enhance their employee training programs to increase awareness of vishing attacks and improve their ability to recognize phishing attempts. Implementing more robust multi-factor authentication methods and regularly updating them can also help mitigate these threats.
Looking Ahead: The Evolving Cybersecurity Landscape
As cybercriminals continue to evolve their tactics, the cybersecurity landscape will need to adapt accordingly. Organizations must remain vigilant and proactive in their approach to security, continuously assessing and updating their defenses to counter new threats as they emerge.
Looking ahead, the focus will likely be on developing more sophisticated detection and prevention technologies, as well as fostering greater collaboration between industry players and cybersecurity experts to share insights and strategies. As the threat landscape continues to shift, staying informed and agile will be key to safeguarding against these increasingly complex cyber threats.