{"id":779,"date":"2026-05-01T15:45:06","date_gmt":"2026-05-01T15:45:06","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=779"},"modified":"2026-05-01T15:45:06","modified_gmt":"2026-05-01T15:45:06","slug":"cybercrime-groups-using-vishing-and-sso-abuse-in-rapid-saas-extortion-attacks","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=779","title":{"rendered":"Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">May 01, 2026<\/span><\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi4FSyjacFNJX32YMLQvN6jUeVwGJfoAHPLMIhtU6aNS6hrkIUokynaWWzqxOjr1JsP0lIooaL0ppYM-iQ_rEH2ruoqMw1UAb_bq4FNjI16P6P7CpTaYSkJtp-TpCFKOce9ODtmzskcTZnuWFLYyUdfA0UeHqmRVVNB1P6Mw28a5Yuc7T1kgEx4Pcyxbcsr\/s1700-e365\/vishing.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Cybersecurity researchers are warning of two cybercrime groups that are carrying out \u00abrapid, high-impact attacks\u00bb operating almost within the confines of SaaS environments, while leaving minimal traces of their actions.<\/p>\n<p>The clusters, <strong><a href=\"https:\/\/www.crowdstrike.com\/en-us\/adversaries\/cordial-spider\/\">Cordial Spider<\/a><\/strong> (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and <strong><a href=\"https:\/\/www.crowdstrike.com\/en-us\/adversaries\/snarky-spider\/\">Snarky Spider<\/a><\/strong> (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and extortion campaigns that share a remarkable degree of operational similarities. Both hacking groups are assessed to be active since at least October 2025, with the latter a native English-speaking crew sharing ties to the e-crime ecosystem known as The Com.<\/p>\n<p>\u00abIn most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications,\u00bb CrowdStrike&#8217;s Counter Adversary Operations <a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield\/\">said<\/a> in a report.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/threatlabz-vpn-risk-2026-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhnNON5UeWywT7OcPNw7V4L7QNWnCnm7Xl_99Y9ek8dL-gRwx-bWxQM1TKqt8deqqrdpUyKMuuijAWyyPQVB0s0qf8ntQ6ldFAJLru-QUWhddKTopc7SeNbBBnd-TsfFyRPP-AAyDuclLlL6XHK4_LXqDC_7eyaz9pzToYr7U543MhrJ7qcK-89sVWHTQUZ\/s728-e100\/zz-2-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abBy operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders.\u00bb<\/p>\n<p>In a report published back in January 2026, Google-owned Mandiant revealed that the two clusters represent an expansion in threat activity that employs tactics consistent with extortion-themed attacks carried out by the ShinyHunters group. This involves impersonating IT staff in calls to deceive victims and obtain their credentials and multi-factor authentication (MFA) codes by directing them to phishing pages.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhYWM2tonAkXkkTV7p_YSpwHCHL6CpDxi-WJ2UTzJFleW7CxlC6wWZ3h9jzmET-STunTOWDuzOwW02JS8WpFzAF5vnhuUcRcVrajGLql7Uxoeb5MGToS2vwPaE7vIO6VA4lv1cSkq-4Pjd8yj3-lcnVtN8bzNl6Uo4tuGm2J-ikFeEaSIzd6d0xWvRKYgzm\/s1700-e365\/1000069835.webp\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhYWM2tonAkXkkTV7p_YSpwHCHL6CpDxi-WJ2UTzJFleW7CxlC6wWZ3h9jzmET-STunTOWDuzOwW02JS8WpFzAF5vnhuUcRcVrajGLql7Uxoeb5MGToS2vwPaE7vIO6VA4lv1cSkq-4Pjd8yj3-lcnVtN8bzNl6Uo4tuGm2J-ikFeEaSIzd6d0xWvRKYgzm\/s1700-e365\/1000069835.webp\" alt=\"\" border=\"0\" data-original-height=\"490\" data-original-width=\"1400\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Snarky Spider begins exfiltration in under an hour<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>As recently as last week, Palo Alto Networks Unit 42 and Retail &amp; Hospitality Information Sharing and Analysis Center (RH-ISAC) <a href=\"https:\/\/rhisac.org\/threat-intelligence\/extortion-in-the-enterprise-defending-against-blackfile-attacks\/\">assessed<\/a> with moderate confidence that the attackers behind CL-CRI-1116 are also most likely associated with The Com, adding that the intrusions primarily rely on living-off-the-land (LotL) techniques, as well as utilize residential proxies to conceal their geographic location and bypass basic IP-based reputation filters.<\/p>\n<p>\u00abCL-CRI-1116 activity has been actively targeting the retail and hospitality space since February 2026, specifically leveraging vishing attacks impersonating IT help desk personnel in combination with phishing login sites to steal credentials,\u00bb researchers Lee Clark, Matt Brady, and Cuong Dinh said.<\/p>\n<p>Attacks mounted by the two groups are known to register a new device in order to bypass MFA and maintain access to compromised access &#8212; but not before removing existing devices &#8212; following which the threat actors move to suppress automated email notifications related to unauthorized device registration by configuring inbox rules that automatically delete such messages.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-cant-stop-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPEV6-530TOlxG6PjrmdlY623wpBwduZ7t1HV6flcmO5R4q4AmfixDUzW0CrhlvMVNWbhvOIso-UDNTka4W_W9Chrdj_dglwBZwi7DuePM2IMIl-hfUYVIqBXgfpr_2619K8Gptb4LzwJ6gUbi7lWl2M8AFQJsHEaw63Q7tZ6708YGruiHrr0Y2W9YYxLQ\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The next stage entails pivoting to targeting high-privileged accounts via further social engineering by scraping internal employee directories. Upon again elevated access, the adversaries break into target SaaS environments to look for high-value files and business-critical reports in Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, and then exfiltrate data of interest to infrastructure under its control.<\/p>\n<p>\u00abIn most observed cases, these credentials grant access to the organization&#8217;s identity provider (IdP), providing a single point of entry into multiple SaaS applications,\u00bb CrowdStrike said. \u00abBy abusing the trust relationship between the IdP and connected services, the adversaries bypass the need to compromise individual SaaS apps and instead move laterally across the victim&#8217;s entire SaaS ecosystem with a single authenticated session.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802May 01, 2026 Cybersecurity researchers are warning of two cybercrime groups that are carrying out \u00abrapid, high-impact attacks\u00bb operating almost within the confines of SaaS environments, while leaving minimal&hellip;<\/p>\n","protected":false},"author":1,"featured_media":780,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[383,24,292,1502,1499,1501,357,1500,23],"class_list":["post-779","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-abuse","tag-attacks","tag-cybercrime","tag-extortion","tag-groups","tag-rapid","tag-saas","tag-sso","tag-vishing"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=779"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/779\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/780"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}