Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks

Summary

Two cybercrime groups, Cordial Spider (CL-CRI-1116, O-UNC-045, UNC6671) and Snarky Spider (O-UNC-025, UNC6661), are conducting rapid SaaS extortion attacks by abusing Single Sign-On (SSO) environments. The groups utilize voice phishing (vishing) and Adversary-in-the-Middle (AiTM) techniques to bypass multi-factor authentication (MFA) and move laterally across integrated enterprise applications.

Key Points

• Threat actors utilize vishing to direct targets to SSO-themed AiTM phishing pages to capture authentication data and MFA codes.
• Attackers bypass MFA by registering new unauthorized devices and removing existing legitimate devices from the Identity Provider (IdP).
• Persistence is maintained by configuring inbox rules that automatically delete automated email notifications regarding unauthorized device registrations.
• The attack chain leverages the trust relationship between the IdP and connected services to move laterally across the entire SaaS ecosystem via a single authenticated session.
• Targeted SaaS environments include Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce.
• Adversaries employ living-off-the-land (LotL) techniques and residential proxies to bypass IP-based reputation filters and conceal geographic origin.

Technical Details

The attack methodology relies on exploiting the centralized nature of modern identity management. After capturing credentials via AiTM phishing, the attackers target the organization's Identity Provider (IdP). Because the IdP serves as a single point of entry for all connected services, a single compromised session allows the adversary to access multiple integrated SaaS applications without needing to compromise each app individually.

To evade detection during the post-compromise phase, the groups perform internal reconnaissance by scraping employee directories to identify high-privileged accounts. Once access is established, the attackers implement automated suppression tactics, specifically using inbox rules to intercept and delete security alerts. The use of residential proxies allows the attackers to bypass basic IP-based security controls, while the reliance on LotL techniques minimizes the forensic footprint left within the SaaS environments.

Impact / Why It Matters

Developers and security engineers must implement stricter device compliance policies and monitor for unauthorized changes to inbox rules or MFA device configurations. Organizations should prioritize detecting anomalous device registrations and the sudden removal of established authentication hardware or software tokens.