Cybercrime Groups Exploit Vishing and SSO Trust in Rapid SaaS Extortion Attacks

Cybersecurity researchers have identified two cybercrime groups carrying out rapid, high-impact attacks that operate almost entirely within SaaS environments while leaving minimal traces. The clusters, Cordial Spider (also tracked as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (also tracked as O-UNC-025 and UNC6661), have been attributed to high-speed data theft and extortion campaigns. Both hacking groups are assessed to be active since at least October 2025. Snarky Spider is a native English-speaking crew with ties to the e-crime ecosystem known as The Com. In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications, CrowdStrike's Counter Adversary Operations said in a report. In a report published back in January 2026, Google-owned Mandiant revealed that the two clusters represent an expansion in threat activity that employs tactics consistent with extortion-themed attacks carried out As recently as last week, Palo Alto Networks Unit 42 and Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) assessed with moderate confidence that the attackers behind CL-CRI-1116 are also most likely associated with The Com, adding that the intrusions primarily rely on living-off-the-land (LotL) techniques, as well as utilize residential proxies to conceal their geographic location and CL-CRI-1116 activity has been actively targeting the retail and hospitality space since February 2026, specifically leveraging vishing attacks impersonating IT help desk personnel in combination with phishing login sites to steal credentials, researchers Lee Clark, Matt Brady, and Cuong Dinh said. Attacks mounted The next stage entails pivoting to targeting high-privileged accounts via further social engineering In most observed cases, these credentials grant access to the organization's identity provider (IdP), providing a single point of entry into multiple SaaS applications, CrowdStrike said.