Cordial Spider and Snarky Spider Deploy Vishing to Steal SaaS Credentials

Context Software‑as‑a‑Service (SaaS) platforms host critical business applications and data, accessible through web browsers or lightweight clients. The convenience of SaaS has expanded the attack surface, giving threat actors new avenues to reach privileged accounts.

Key Facts - Beginning in October 2025, the groups Cordial Spider and Snarky Spider launched coordinated credential‑harvesting and extortion operations targeting SaaS environments. - Both groups belong to the larger cyber‑criminal network known as The Com, which shares tools and infrastructure across loosely connected actors. - Their primary vector is vishing: attackers place VoIP calls, pose as IT support, and convince victims to enter credentials into spoofed Single Sign‑On (SSO) portals that mimic legitimate authentication flows. - Harvested credentials grant attackers direct access to SaaS services, enabling data exfiltration or ransomware‑style extortion. - The adversaries host command‑and‑control (C2) and staging servers on legitimate SaaS platforms, blending malicious traffic with normal encrypted cloud traffic and evading many network‑based detections. - No public reports yet detail the total number of compromised accounts, but the use of SaaS for C2 suggests a scalable, low‑cost operation capable of affecting enterprises of any size.

What It Means The campaigns illustrate a shift from traditional malware delivery to identity‑focused attacks that bypass perimeter defenses. By exploiting the trust placed in SaaS domains and the human tendency to obey perceived IT staff, the groups achieve high success rates with minimal technical complexity. Organizations that rely heavily on cloud applications must treat identity as the primary security perimeter.

What Defenders Should Do - Enforce multi‑factor authentication (MFA) on all SaaS accounts, especially for privileged roles. - Deploy anti‑vishing training that includes live‑call simulations and clear verification procedures for support requests. - Implement conditional access policies that restrict SSO logins to known corporate IP ranges or trusted devices. - Monitor authentication logs for anomalous sign‑in locations, impossible travel, and repeated failed attempts. - Use SaaS‑specific security tools that can detect credential‑phishing pages by comparing page hashes against known legitimate SSO URLs. - Apply MITRE ATT&CK technique T1566.003 (Phishing: Vishing) detection signatures in SIEM and UEBA platforms. - Regularly rotate service‑account passwords and audit third‑party app integrations for unnecessary permissions.

Looking Ahead Watch for increased use of SaaS‑hosted C2 infrastructure and emerging vishing kits that automate credential harvesting at scale. Continuous refinement of identity hygiene will be essential to stay ahead of these cloud‑centric threat actors.