The Rise of SaaS Extortion: How Cordial and Snarky Spiders Exploit Vishing and SSO Weaknesses

Cybersecurity researchers have identified two active cybercrime groups—Cordial Spider and Snarky Spider—that are carrying out fast-paced, high-impact extortion attacks within Software-as-a-Service (SaaS) environments. These groups use a combination of vishing (voice phishing) and Single Sign-On (SSO) abuse to gain unauthorized access, steal sensitive data, and leave minimal forensic traces. Their operations are notable for their speed and precision, often completing data theft in hours or days rather than weeks.

Overview of the Threat

Both Cordial Spider (also known as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661) focus on SaaS platforms, exploiting identity management gaps and human vulnerabilities. Unlike traditional ransomware groups that deploy malware, these groups rely on social engineering and credential abuse to bypass security controls. Their attacks are rapid—often from initial vishing call to data exfiltration in under 48 hours—and are designed to be stealthy, making them particularly dangerous.

What is Cordial Spider?

Cordial Spider is a threat cluster that uses vishing as its primary entry vector. Attackers impersonate IT support or helpdesk staff, convincing employees to share login credentials or one-time passcodes. Once inside, they move laterally using SSO integrations to access multiple connected applications, exfiltrating data quickly. This group is known for targeting organizations of all sizes, with a preference for sectors like finance, healthcare, and technology.

What is Snarky Spider?

Snarky Spider operates similarly but with a greater focus on abusing SSO misconfigurations. They may use initial vishing to gain a foothold, but they also exploit weak or default SSO policies to escalate privileges. Snarky Spider often targets businesses that rely heavily on cloud-based collaboration tools, leveraging SSO to pivot between email, file storage, and project management platforms without triggering alerts.

The Attack Chain: Vishing and SSO Abuse

The attack chain for both groups typically follows a pattern of social engineering followed by technical exploitation. Below is a breakdown of the key stages.

Vishing as Initial Access

Vishing fraudsters call employees, often posing as IT staff or vendors. They use urgency—such as a fake security incident—to trick the target into revealing passwords or approving MFA prompts. This technique is effective because it bypasses email security filters and exploits human trust. Once credentials are obtained, the attacker logs into the organization's SSO portal.

SSO Abuse for Lateral Movement and Data Theft

After gaining access via vishing, the groups abuse SSO to authenticate to multiple SaaS applications without re-entering credentials. They scan for misconfigured permissions, such as overprivileged service accounts or legacy integrations, and use these to exfiltrate data. Because SSO provides seamless access across platforms, the attackers can move undetected, copying sensitive files to cloud storage services they control.

Why SaaS Environments Are Vulnerable

SaaS platforms centralize authentication through SSO, but if that single point of entry is compromised, attackers gain broad access. Additionally, many organizations do not monitor for anomalous SSO usage—such as logins from unusual locations or after-hours access—allowing exfiltration to go unnoticed. The minimal forensic traces left by Cordial and Snarky Spiders (often just a few log entries that look like legitimate user activity) make detection extremely challenging.

Minimal Forensic Traces

Both groups deliberately leave few clues. They avoid exploiting software vulnerabilities, instead using legitimate tools and features. They may delete logs after accessing applications, or rely on the fact that SSO sessions mask individual application access events. Even if an organization detects the vishing call, the actual data theft may have already occurred.

Implications for Businesses

The rapid nature of these attacks—often completing data exfiltration within hours—means that conventional response times are inadequate. Organizations that rely on manual review of alerts or periodic log analysis may not identify the breach until after the data is already sold or leaked. The extortion demands are also swift: attackers threaten to publish stolen data unless a ransom is paid, often within 24-48 hours.

Mitigation Strategies

To defend against Cordial and Snarky Spider attacks, organizations should implement layered defenses that address both human and technical vulnerabilities.

Strengthen Identity and Access Management

Enforce least-privilege policies for SSO applications. Regularly audit permissions, and require MFA for all sensitive actions (e.g., accessing admin consoles). Consider using conditional access policies that block logins from untrusted locations or devices.

Employee Training on Vishing

Train employees to be wary of unsolicited calls requesting login details or MFA codes. Establish a process for verifying caller identity (e.g., a call-back to the IT department). Run simulated vishing exercises to test awareness.

Monitoring and Detection

Implement real-time monitoring of SSO activity. Look for anomalies such as simultaneous logins from different IP addresses, attempts to access applications the user rarely uses, or rapid pivoting between resources. Deploy User and Entity Behavior Analytics (UEBA) to flag unusual access patterns.

Conclusion

The rise of vishing and SSO abuse in extortion attacks highlights the evolving tactics of cybercrime groups. Cordial and Snarky Spiders demonstrate that even without sophisticated malware, adversaries can cause significant damage by exploiting human and systemic weaknesses. Organizations must adopt a proactive security posture, combining employee education with technical controls to protect their SaaS environments.

For more on identity security, see our guide on Strengthening Identity and Access Management.