Cordial Spider and Snarky Spider carry out rapid SaaS extortion attacks using vishing and single sign-on abuse to minimize forensic traces. Cordial Spider operates under multiple aliases including BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671. Snarky Spider tracks as O-UNC-025 and UNC6661. Both groups target SaaS environments where detection windows remain narrow and attackers leave minimal evidence.
The attack pattern centers on social engineering. Attackers use vishing calls to manipulate employees into compromising credentials or granting access. SSO abuse then allows lateral movement through interconnected cloud applications, accelerating data exfiltration before defenders detect intrusions.
Organizations using SaaS platforms face elevated risk from these tactics. Defenders should enforce multi-factor authentication beyond SSO mechanisms, implement call verification protocols, and monitor for anomalous SSO token usage and cross-application access patterns. Incident response teams must prioritize rapid credential audit procedures following vishing attempts. Security teams should establish baseline profiles for normal SaaS access and flag deviations quickly, as attackers deliberately compress attack timelines to evade detection.