{"id":236339,"date":"2026-05-01T22:25:21","date_gmt":"2026-05-02T03:25:21","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/05\/cybercrime-groups-using-vishing-and-sso-abuse-in-rapid-saas-extortion-attacks"},"modified":"2026-05-01T22:25:21","modified_gmt":"2026-05-02T03:25:21","slug":"cybercrime-groups-using-vishing-and-sso-abuse-in-rapid-saas-extortion-attacks","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/05\/cybercrime-groups-using-vishing-and-sso-abuse-in-rapid-saas-extortion-attacks","title":{"rendered":"Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/cybercrime-groups-using-vishing-and-sso-abuse-in-rapid-saas-extortion-attacks.jpg\"><\/a><\/p>\n<p>Cybersecurity researchers are warning of two cybercrime groups that are carrying out \u201crapid, high-impact attacks\u201d operating almost within the confines of SaaS environments, while leaving minimal traces of their actions.<\/p>\n<p>The clusters, <strong><a href=\"https:\/\/www.crowdstrike.com\/en-us\/adversaries\/cordial-spider\/\">Cordial Spider<\/a><\/strong> (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and <strong><a href=\"https:\/\/www.crowdstrike.com\/en-us\/adversaries\/snarky-spider\/\">Snarky Spider<\/a><\/strong> (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and extortion campaigns that share a remarkable degree of operational similarities. Both hacking groups are assessed to be active since at least October 2025, with the latter a native English-speaking crew sharing ties to the e-crime ecosystem known as <a href=\"https:\/\/thehackernews.com\/2025\/11\/a-cybercrime-merger-like-no-other.html\">The Com<\/a>.<\/p>\n<p>\u201cIn most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications,\u201d CrowdStrike\u2019s Counter Adversary Operations <a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield\/\">said<\/a> in a report.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers are warning of two cybercrime groups that are carrying out \u201crapid, high-impact attacks\u201d operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-236339","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/236339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=236339"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/236339\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=236339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=236339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=236339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}