Executive Summary
In October 2025, two cybercrime groups, Cordial Spider and Snarky Spider, initiated rapid, high-impact attacks targeting U.S. organizations across sectors such as academia, aviation, retail, hospitality, automotive, financial services, legal, and technology. Employing voice phishing (vishing) and adversary-in-the-middle (AiTM) techniques, they directed employees to fraudulent single sign-on (SSO) pages to capture credentials and session tokens. This access allowed them to infiltrate SaaS environments, register attacker-controlled multi-factor authentication (MFA) devices, suppress security notifications, and exfiltrate sensitive data for extortion purposes. (cyberscoop.com)
These incidents underscore a significant evolution in cybercriminal tactics, emphasizing the urgency for organizations to enhance their defenses against sophisticated social engineering and identity-based attacks. The rapidity and precision of these operations highlight the need for robust security measures within SaaS platforms to mitigate such threats. (crowdstrike.com)
Why This Matters Now
The emergence of Cordial Spider and Snarky Spider's tactics highlights an urgent need for organizations to strengthen defenses against advanced social engineering and identity-based attacks. Their rapid, SaaS-focused intrusions demonstrate the evolving threat landscape, necessitating immediate action to protect sensitive data and maintain operational integrity. (crowdstrike.com)
Attack Path Analysis
Attackers initiated the compromise by conducting vishing attacks, directing users to adversary-in-the-middle (AiTM) phishing pages to capture credentials and session tokens. They then escalated privileges by registering new multi-factor authentication (MFA) devices and removing existing ones to maintain access. Utilizing the compromised identity provider (IdP) credentials, they moved laterally across multiple SaaS applications. Command and control were established by suppressing security notifications through inbox rule configurations. Data exfiltration involved accessing and extracting sensitive information from platforms like Google Workspace, Microsoft SharePoint, and Salesforce. The impact culminated in extortion demands, with threats of data exposure and additional harassment tactics.
Kill Chain Progression
Initial Compromise
Description
Attackers conducted vishing attacks, directing users to adversary-in-the-middle (AiTM) phishing pages to capture credentials and session tokens.
MITRE ATT&CK® Techniques
Phishing: Voice Phishing (Vishing)
Modify Authentication Process: Manipulate Multi-Factor Authentication
Valid Accounts: Cloud Accounts
Cloud Application Integration
Data from Cloud Storage Object
Automated Exfiltration
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for All Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
CISA Zero Trust Maturity Model 2.0 – Identity Verification and Authentication
Control ID: Identity Pillar
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical exposure to SaaS-focused data theft through vishing and SSO abuse targeting financial data, requiring enhanced egress security and zero trust segmentation controls.
Health Care / Life Sciences
High-impact risk from rapid SaaS extortion attacks compromising patient data through encrypted traffic exploitation and lateral movement within healthcare cloud environments.
Information Technology/IT
Primary target for Cordial Spider and Snarky Spider groups exploiting SaaS environments, demanding multicloud visibility and threat detection capabilities for client protection.
Computer Software/Engineering
Significant vulnerability to rapid data theft attacks through compromised SaaS platforms, requiring kubernetes security and cloud firewall protections for development environments.
Sources
- Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attackshttps://thehackernews.com/2026/05/cybercrime-groups-using-vishing-and-sso.htmlVerified
- Two new extortion crews are speedrunning the Scattered Spider playbookhttps://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/Verified
- Cordial Spider Adversary Profilehttps://www.crowdstrike.com/en-us/adversaries/cordial-spider/Verified
- Snarky Spider Adversary Profilehttps://www.crowdstrike.com/en-us/adversaries/snarky-spider/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies within the cloud environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent initial credential compromise via phishing, it could limit the attacker's subsequent access within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could limit the attacker's ability to escalate privileges by enforcing strict access controls and monitoring identity changes.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could constrain lateral movement by monitoring and controlling internal traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could limit the attacker's ability to establish command and control channels by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could reduce the risk of data exfiltration by controlling and monitoring outbound traffic.
While Aviatrix Zero Trust CNSF may not prevent extortion demands, it could limit the attacker's ability to access and exfiltrate sensitive data, thereby reducing the leverage for such demands.
Impact at a Glance
Affected Business Functions
- Identity and Access Management
- Data Storage and Management
- Customer Relationship Management
- Internal Communications
Estimated downtime: 3 days
Estimated loss: $1,000,000
Sensitive customer data, internal communications, and business-critical documents.
Recommended Actions
Key Takeaways & Next Steps
- • Implement phishing-resistant multi-factor authentication (MFA) methods to prevent unauthorized access.
- • Enforce zero trust segmentation to limit lateral movement across SaaS applications.
- • Deploy egress security and policy enforcement to monitor and control data exfiltration attempts.
- • Utilize threat detection and anomaly response systems to identify and respond to suspicious activities promptly.
- • Conduct regular security awareness training to educate employees on recognizing and reporting social engineering attacks.
