CrowdStrike’s Counter Adversary Operations team has published detailed intelligence on two threat actors — CORDIAL SPIDER and SNARKY SPIDER — that have been running sophisticated, SaaS-focused intrusion campaigns since October 2025. Both groups operate almost exclusively within trusted cloud environments, deliberately avoiding traditional endpoints to evade conventional security tooling.
Who Are CORDIAL SPIDER and SNARKY SPIDER?
These are financially motivated threat actors conducting high-speed credential theft and data exfiltration campaigns targeting organisations’ SaaS environments. Their targets include SharePoint, HubSpot, and Google Workspace. A key observation from CrowdStrike: “By operating almost exclusively within trusted SaaS environments, they minimise their footprint while accelerating time to impact.”
Critically, these attacks are not the result of vulnerabilities in the SaaS platforms themselves — they exploit weaknesses in how customers have configured and secured their accounts.
How the Attacks Work
Step 1: Voice Phishing to Adversary-in-the-Middle Pages
Attacks begin with vishing (voice phishing): a call impersonating IT support directing the target to a fraudulent login page. These are adversary-in-the-middle (AiTM) pages designed to capture credentials and session tokens in real time, bypassing MFA by relaying the victim’s authentication to the legitimate service as it happens.
Step 2: Persistence Through MFA Manipulation
Once inside, the attackers register their own devices to the victim’s account to maintain persistent access. SNARKY SPIDER uses a Genymobile Android emulator; CORDIAL SPIDER uses a Windows QEMU virtual device. Both approaches allow them to appear as a legitimate enrolled device, surviving password resets unless MFA devices are also audited and cleaned.
Step 3: Covering Tracks and Finding High-Value Data
The attackers delete security notification emails and create inbox rules to suppress ongoing alerts. They then run targeted searches for sensitive terms — “confidential,” “SSN,” “contracts,” “VPN” — to identify the most valuable files before exfiltrating them at high volume. SNARKY SPIDER begins exfiltration in under one hour from initial access.
Infrastructure
Both groups use anonymisation services — Mullvad VPN, NetNut, 9Proxy, Infatica, and NSOCKS — to route traffic through residential IP addresses, making their activity appear as legitimate user access from ordinary home connections.
What Businesses Should Do
- Audit registered MFA devices on all accounts. Remove any unrecognised devices immediately — especially in Microsoft Entra ID, Google Workspace, and any SSO-connected platforms.
- Enable phishing-resistant MFA such as FIDO2/passkeys wherever available. AiTM attacks defeat standard TOTP and push-notification MFA; hardware keys and passkeys are significantly more resistant.
- Review inbox rules on executive and IT admin accounts for any rules forwarding, deleting, or suppressing security-related emails.
- Train staff on vishing. If someone receives an unexpected call from “IT support” asking them to log into any system, they should verify via a separate, out-of-band channel before proceeding.
- Monitor SaaS activity for anomalous bulk downloads, unusual login locations, and new device registrations — ideally through a CASB or dedicated SaaS security tool.
If you are concerned about your organisation’s SaaS security posture or identity configuration, contact the BIT Tech team for a review.
