CrowdStrike has exposed two dangerous eCrime groups named CORDIAL SPIDER and SNARKY SPIDER that exfiltrate data in SharePoint, HubSpot and Google Workspace in under an hour by using ATM phishing pages vishing and SSO hijacking. They are not even stopped by MFA and even use swatting.
Imagine your office phone rings and the IT support person on the other end tells you your account has been compromised and you immediately follow a link to log in and you do. Thats the moment your companys entire SaaS data SharePoint documents HubSpot CRM records and Google Workspace emails falls into the hands of an attacker.
And all this happens without any malware without any vulnerability exploited with just a phone call and a fake login page. CrowdStrike Counter Adversary Operations has observed a dramatic shift since October 2025 threat actors are executing high speed SaaS centric attacks that completely bypass traditional endpoint visibility.
CORDIAL SPIDER and SNARKY SPIDER exemplify this evolutio conducting rapid data theft and extortion campaigns and both operate almost exclusively in trusted SaaS environments to minimize their footprint and dramatically accelerate time to impact.
These groups are directly linked to Scattered Spiders playbook and CrowdStrikes Adam Meyers confirmed that these native English speakers are primarily targeting US-based organizations in the academic aviation retail, hospitality, automotive, financial services, legal and technology sectors.
CORDIAL SPIDER is also tracked under the names BlackFile CL-CRI-1116, O-UNC-045 and UNC6671 while SNARKY SPIDER is identified by the names O-UNC-025 and UNC6661 and both are subsets of The.com which is also linked to SLSH and ShinyHunters.
What makes these groups particularly dangerous is that they do not use zero day exploits or install malware they simply infiltrate your companys identity system and then access everything connected there. Google Workspace OAuth abuse spiked 2,000% between October 2025 and February 202 consent events increased 45%
Once a user granted consent to a malicious app and it continued to maintain access by surviving password resets and MFA changes via app refresh tokens. This data shows that this isn’t just a problem for two groups its a new attack model across an entire industry.
AiTM Proxy When the Login Page Becomes a Weapon
The core of the attack is an Adversary-in-the-Middle (AiTM) phishing page but this is not ordinary phishing. Attackers confidently impersonate internal IT support staff and manufacture urgency then victims are directed to fraudulent SSO themed phishing pages that mimic legitimate corporate login portals and using deceptive domains like company-sso[.]com.
When victims enter their credentials, attackers capture authentication data and active session tokens in real-time and because the proxy relays this authentication directly to the legitimate service users have a completely normal login experience and are completely unaware.
This is the most dangerous quality of IoT attacks resetting the password is not an effective solution because the sign-in session has been compromised. The attacker can also tamper with the MFA by adding a new MFA policy so that the OTP is sent to the attackers registered mobile number and with these persistence mechanisms in place the attacker can maintain control of the victims account despite conventional remediation.
After initial access CORDIAL SPIDER and SNARKY SPIDER immediately establish persistence by deleting existing legitimate MFA devices and registering their own attacker controlled hardware on compromised accounts. SNARKY SPIDER almost exclusively enrolls a Genymobile Android emulator for MFA allowing you to operate connected Android devices on Linux Windows and macOS.
Both actors actively suppress user facing indicators of compromise and security emails that are automatically generated. remove suspicious account logins per unauthorised device registration They warn you about such emails and also set up malicious inbox rules that automatically filter and trash incoming emails based on security keywords.
CORDIAL and SNARKY SPIDER use residential proxy networks including Mullvad, Oxylabs, NetNut, 9Proxy Infatica and NSOCKS to evade IP-based detection and blend in with typical traffic. These phishing pages are hosted on short-lived domains containing keywords such as “okta” “sso” “help” “hr” “corp” and become operational within hours of domain registration and are taken down a few hours later.
SNARKY SPIDER begins siphoning data within an hour of the initial breach Conducts targeted searches across SharePoint, HubSpot and Google Workspace Executes massive exfiltration operations to locate sensitive materials using specific query terms.
Campaign Escalates to Swatting Reality Check
CrowdStrike did not disclose the range of CORDIAL SPIDERs extortion demands but Unit 42 previously confirmed that demands are typically in the seven-figure range. Some victims who do not comply with extortion demands face DDoS attacks and SNARKY SPIDER has used more aggressive follow-on harassment tactics, including swatting employees of victim organizations.
Swatting i.e., sending police to someones home by making a fake emergency call is a psychological warfare tactic that brings online crime into the physical world. This confirms that these groups are not just focused on stealing data they also do not hesitate to personally intimidate targeted individuals.
These compromises are not just due to security vulnerabilities in SaaS platforms but rather weaknesses in customer configurations. Common issues include the loss of phishing-resistant MFA and access controls that grant overly permissive access to sensitive data.
Push-based MFA is no longer sufficient for defenders FIDO2 keys and passkeys are bound to the origin domain and resist this technique. Audit OAuth grants review all application grants across M365 and Google Workspace. Monitor inbox rules in real-time forward-and-delete rules targeting payment keywords and block-sender rules targeting IT senders are near-certain indicators of active BEC.
Stronger verification for help desk requests phishing-resistant MFA for admins and tight controls on third party SaaS integrations should be priorities for identity and SaaS security in 2026 as these attackers continue to prove they do not need advanced malware to break into critical environments. Your companys data is in SharePoint emails are in Google Workspace and CRM is in HubSpot and the door to all of this can be opened with a single phone call. This is a wake-up call.
