Vishing crews ride SSO trust to drain SaaS estates in hours

Two crews tracked as Cordial Spider and Snarky Spider — both active since October 2025 and tied to The Com e-crime scene — are running fast extortion campaigns that live entirely inside SaaS. The pattern is consistent: a phone call impersonating IT help desk, a victim pushed to an SSO-themed adversary-in-the-middle page, captured credentials and MFA codes, then immediate pivot into the identity provider. From there a single authenticated session unlocks every connected app, so the attackers never need to compromise Google Workspace, HubSpot, SharePoint, or Salesforce individually.

Once inside, the playbook is mechanical. Register a new device and remove the legitimate one to keep MFA, set inbox rules that auto-delete the device-registration notifications, scrape the employee directory to find high-privilege accounts, social-engineer those, then sweep for business-critical files and exfiltrate. Residential proxies hide origin and defeat coarse IP reputation checks. Mandiant connected the activity to ShinyHunters tradecraft in January, and Unit 42 plus RH-ISAC have since flagged the same cluster hitting retail and hospitality since February 2026.

The defensive problem is structural. There is no malware, no endpoint footprint, no off-SaaS lateral movement to alarm on — just legitimate SSO sessions doing legitimate-looking things at machine speed. Detection has to shift to identity-layer signals: anomalous device registrations, inbox rules that hide security mail, session origin shifts, and downstream SaaS access patterns that don’t match a human workday.