A new breed of cyber adversary is moving away from traditional malware and focusing entirely on the “trust relationship” within your cloud ecosystem. Since late 2025, two aggressive groups—CORDIAL SPIDER and SNARKY SPIDER—have been observed executing high-speed data theft campaigns that bypass endpoint security by operating strictly within legitimate SaaS environments. +1
By targeting SharePoint, HubSpot, and Google Workspace, these “Spiders” minimize their footprint and exploit the very Single Sign-On (SSO) integrations that companies use for convenience.
Initial Access: The “Vishing” Hook
The attack doesn’t start with a link, but with a phone call. Attackers impersonate corporate IT support, using voice phishing (vishing) to create a fake emergency.
- The Lure: Employees are told there is an “urgent security update” or an “account compromise” that requires immediate action.
- The Trap: The victim is directed to a sophisticated Adversary-in-the-Middle (AiTM) page. These sites (e.g.,
company-sso[.]com) look identical to the real login portal. - The Theft: As the user logs in, the AiTM proxy captures their credentials and their active session token in real-time. This allows the attacker to bypass Multi-Factor Authentication (MFA) entirely. +1
Persistence: Turning Emulators into Backdoors
Once the attackers possess a valid session, they move to ensure they are never kicked out. They don’t just steal an account; they reconfigure its security.
- MFA Manipulation: The Spiders remove the victim’s legitimate MFA devices and register their own hardware.
- Emulator Usage: SNARKY SPIDER is known for using Genymobile Android emulators to appear as a trusted mobile device. CORDIAL SPIDER prefers a mix of mobile hardware and Windows QEMU emulators.
- Hiding the Trail: To keep the victim in the dark, the groups deploy automated inbox rules. These rules instantly delete any email containing keywords like “Security Alert,” “MFA,” or “New Device” the moment they arrive.
Exfiltration: From Breach to Data Theft in 60 Minutes
The speed of these attacks is startling. Because they are already inside the “trusted” SaaS perimeter, there are no firewalls to slow them down.
The Exfiltration Timeline:
- Reconnaissance: Attackers query the organization’s SharePoint and Google Drive for “hot” terms like confidential, contracts, SSN, and VPN.
- Aggregation: Data is quickly bundled using native SaaS tools.
- Download: SNARKY SPIDER has been observed beginning high-volume data exfiltration in less than an hour after the initial vishing call.
To hide their location, both groups route their theft through residential proxy networks like Mullvad or NetNut, making the massive data transfer look like normal home-user traffic.
Defense: Beyond Traditional MFA
Standard MFA is no longer a “silver bullet” against AiTM attacks. To defend your cloud, you must evolve your strategy:
- Phishing-Resistant MFA: Deploy FIDO2-compliant security keys or Microsoft Authenticator (Passkeys). These methods are tied to the specific URL and cannot be intercepted by an AiTM proxy.
- SaaS Anomaly Detection: Use tools like CrowdStrike Falcon Shield to monitor for “Impossible Travel” (e.g., a user logging in from New York and London within 10 minutes) and the use of known Android emulators.
- Audit Inbox Rules: Regularly scan for “Hidden” or “Auto-Delete” inbox rules that filter out security notifications.
- Vishing Simulations: Train staff specifically on “IT Support” phone scams, emphasizing that real IT teams will never ask you to visit a non-standard SSO URL.
