[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXlbBSphh_WuHGbdA-QEEOBixJQsq3XzxnUUhrBJVBEI":3},{"article":4,"iocs":48},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"272a7a31-6e10-4664-8fde-665cd7685dec","Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks","cybercrime-groups-using-vishing-and-sso-abuse-in-rapid-saas-extortion-attacks-783b2a","Cybersecurity researchers are warning of two cybercrime groups that are carrying out \"rapid, high-impact attacks\" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and","Cordial Spider and Snarky Spider are conducting rapid, high-impact extortion campaigns targeting SaaS environments since at least October 2025. The groups use vishing to trick users into visiting malicious SSO-themed phishing pages, capture credentials, and exploit IdP trust relationships to pivot across entire SaaS ecosystems while minimizing detection footprint. Attacks have been observed in retail and hospitality sectors, with data exfiltration occurring in under an hour and use of living-off-the-land techniques to evade defenses.","Two cybercrime groups use vishing and SSO abuse in rapid SaaS extortion attacks.","Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks Ravie LakshmananMay 01, 2026Malware \u002F Social Engineering Cybersecurity researchers are warning of two cybercrime groups that are carrying out \"rapid, high-impact attacks\" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and extortion campaigns that share a remarkable degree of operational similarities. Both hacking groups are assessed to be active since at least October 2025, with the latter a native English-speaking crew sharing ties to the e-crime ecosystem known as The Com. \"In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications,\" CrowdStrike's Counter Adversary Operations said in a report. \"By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders.\" In a report published back in January 2026, Google-owned Mandiant revealed that the two clusters represent an expansion in threat activity that employs tactics consistent with extortion-themed attacks carried out by the ShinyHunters group. This involves impersonating IT staff in calls to deceive victims and obtain their credentials and multi-factor authentication (MFA) codes by directing them to phishing pages. Snarky Spider begins exfiltration in under an hour As recently as last week, Palo Alto Networks Unit 42 and Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) assessed with moderate confidence that the attackers behind CL-CRI-1116 are also most likely associated with The Com, adding that the intrusions primarily rely on living-off-the-land (LotL) techniques, as well as utilize residential proxies to conceal their geographic location and bypass basic IP-based reputation filters. \"CL-CRI-1116 activity has been actively targeting the retail and hospitality space since February 2026, specifically leveraging vishing attacks impersonating IT help desk personnel in combination with phishing login sites to steal credentials,\" researchers Lee Clark, Matt Brady, and Cuong Dinh said. Attacks mounted by the two groups are known to register a new device in order to bypass MFA and maintain access to compromised access -- but not before removing existing devices -- following which the threat actors move to suppress automated email notifications related to unauthorized device registration by configuring inbox rules that automatically delete such messages. The next stage entails pivoting to targeting high-privileged accounts via further social engineering by scraping internal employee directories. Upon again elevated access, the adversaries break into target SaaS environments to look for high-value files and business-critical reports in Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, and then exfiltrate data of interest to infrastructure under its control. \"In most observed cases, these credentials grant access to the organization's identity provider (IdP), providing a single point of entry into multiple SaaS applications,\" CrowdStrike said. \"By abusing the trust relationship between the IdP and connected services, the adversaries bypass the need to compromise individual SaaS apps and instead move laterally across the victim's entire SaaS ecosystem with a single authenticated session.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cloud security, cybersecurity, data breach, Extortion, Identity Management, Malware, Phishing, SaaS Security, social engineering, Threat Intelligence ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat How to Identify Risky Browser Extensions in Your Organization","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fcybercrime-groups-using-vishing-and-sso.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEi4FSyjacFNJX32YMLQvN6jUeVwGJfoAHPLMIhtU6aNS6hrkIUokynaWWzqxOjr1JsP0lIooaL0ppYM-iQ_rEH2ruoqMw1UAb_bq4FNjI16P6P7CpTaYSkJtp-TpCFKOce9ODtmzskcTZnuWFLYyUdfA0UeHqmRVVNB1P6Mw28a5Yuc7T1kgEx4Pcyxbcsr\u002Fs1600\u002Fvishing.jpg","2026-05-01T14:26:00+00:00","2026-05-01T16:00:20.342793+00:00",9,[18,21,23,25,28,30],{"name":19,"type":20},"Cordial Spider","threat_actor",{"name":22,"type":20},"Snarky Spider",{"name":24,"type":20},"ShinyHunters",{"name":26,"type":27},"Google Workspace","product",{"name":29,"type":27},"Microsoft SharePoint",{"name":31,"type":27},"Salesforce","2c8f44d4-b56e-47cf-9677-04f22c9ee78d",{"id":32,"icon":34,"name":35,"slug":36},null,"Identity & Access","identity-access",[38,43],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]