Mandiant Links Cordial and Snarky Spider to The Com, Reveals SaaS‑Based Vishing Campaigns

*TL;DR – Mandiant attributes Cordial Spider and Snarky Spider to the cyber‑crime network The Com. Both groups rely on voice‑phishing (vishing) and abuse legitimate SaaS services as hidden command‑and‑control channels.*

Context Since late 2025, security teams have observed a surge in cloud‑centric attacks that blend social engineering with the misuse of SaaS (software‑as‑a‑service) platforms. SaaS delivers applications over the internet, eliminating on‑premises hardware and offering continuous updates. While this model improves agility, it also provides attackers with trusted domains and encrypted traffic that blend with normal business flows.

Key Facts - Mandiant’s investigation links Cordial Spider and Snarky Spider to The Com, a loosely organized criminal ecosystem that shares tools and infrastructure. - The primary entry point is vishing: attackers place VoIP calls, pose as IT support or service providers, and direct victims to counterfeit single‑sign‑on (SSO) portals that mimic legitimate authentication pages. - Harvested credentials give the actors direct access to enterprise SaaS environments. Once inside, they exfiltrate data, encrypt files, or threaten public release for ransom. - To hide their activity, the groups host command‑and‑control (C2) servers on popular SaaS services. These legitimate cloud domains provide encrypted channels and high availability, making detection difficult. - The tactics mirror earlier campaigns by ShinyHunters, confirming a broader shift toward identity‑centric attacks that treat cloud credentials as the new perimeter.

What It Means Enterprises must treat SaaS identities as the most valuable asset. Relying on password‑only authentication leaves a wide attack surface for vishing‑driven credential theft. The use of SaaS for C2 also means traditional network‑based alerts may miss malicious traffic that appears to originate from trusted cloud providers.

Mitigations - Enforce multi‑factor authentication (MFA) on all SaaS accounts, especially SSO portals. - Deploy real‑time monitoring for anomalous login patterns, such as impossible travel or logins from unfamiliar IP ranges. - Harden VoIP infrastructure: enable caller‑ID verification, restrict outbound calls to known numbers, and train staff to question unsolicited support calls. - Implement strict SaaS governance: inventory all cloud applications, apply least‑privilege access, and regularly rotate credentials. - Use threat‑intel feeds that flag known malicious SaaS domains and configure detection rules for encrypted traffic to those endpoints.

Looking Ahead Watch for updates on how The Com adapts its SaaS abuse tactics and for emerging detection signatures that target vishing‑initiated credential flows.