Identity is the new perimeter: lightning attacks by Cordial Spider and Snarky Spider in SaaS environments

Cybersecurity researchers have identified two criminal clusters - known in multiple reports as Cordial Spider and Snarky Spider- which are leading to a worrying change in industry: high-speed and low-track attacks operating almost exclusively within reliable SaaS environments. These bands combine voice-based social engineering (vishing) techniques with adverse-in- the-middle (AiTM) phishing pages aimed at capturing credentials and MFA codes, allowing them to pivoting directly to identity providers and connected SaaS applications without the need to engage each service separately.

The mode of operation described by analysts is simple and effective: first they convince an employee - often posing as technical support personnel - to visit a malicious URL that intercepts SSO authentication; then they use these credentials to record a new device, remove legitimate devices and remove alerts insidiously creating rules in the inbox that remove notification messages. After climbing privileges by scraping internal directories, attackers look for high-value documents and reports on platforms such as Google Workspace, Microsoft SharePoint, HubSpot or Salesforce, to exfilter and sometimes extort the victim. Recent public research results in these operations using "living-off-the-land" techniques and residential proxies to hinder attribution and evade basic IP-reputation filters.

The implications are clear: the identity provider (ID) becomes a single failure point. If the attackers get valid sessions there, they can move laterally throughout the SaaS ecosystem with a single authentication, reducing their forensic footprint and accelerating time to impact. For medium and large organisations this results in direct risks to the confidentiality of sensitive data, operational continuity and regulatory exposure in data protection and reporting of gaps.

In view of this scenario, defensive measures should prioritize the protection of the identity perimeter and the ability to detect abnormal activity within SaaS. The most effective practices include the adoption of phishing-resistant authentication methods (e.g. FIDO2 / WebAuthn and physical security keys), conditional access policies that assess risk by session context (location, device, behavior), and the removal or restriction of MFA methods based on SMS or TOTP codes if not evaluated by additional controls. It is also critical to have "break glass" accounts with strict control and audit, and to enable retention and export of IPP and SaaS software for forensic analysis.

Detecting these campaigns requires specific observability: monitoring records of new devices, changes in MFA configuration, creation of inbox rules, granting of unusual tokens and scalated access patterns between multiple services in a short window. The integration of capacities of Identity Threat Detection and Response (ITDR), CASB and DLP helps to correlate signals that may seem benign but together indicate commitment. In addition, blocking or labelling traffic from residential proxies and enriching events with intelligence about malicious infrastructure reduces false negatives.

At the human and procedural levels, it is appropriate to strengthen the controls against vishing: to establish verification procedures for support calls (e.g., outgoing call verification codes or alternative confirmation channels), to simulate vishing attacks in awareness-raising programmes and to prepare tabletop exercises that include the recovery of committed identities and coordination with SaaS providers to revoke affected sessions and credentials. Maintaining communication channels with sectoral exchange groups such as RH-ISAC and with external response teams accelerates detection and containment in real cases; see general response and analysis resources in CrowdStrike and Mandiant, and intelligence notes from units like Unit 42 in Palo Alto Networks.

For executive officials, the priority is to understand that security is no longer just protecting endpoints and networks: identity is the new perimeter. Investing in identity controls, visibility within the SaaS stack and response plans that consider rapid exfiltration and extortion will reduce both the probability and impact of these attacks. Finally, documenting and testing reporting flows to customers and regulators in the face of a possible leak and having legal support and communications is as important as technical mediation.