Breaking: Cybercrime Groups Deploy Vishing and SSO Abuse in Agile SaaS Extortion Spree

January 30, 2025 — Two sophisticated cybercrime clusters, tracked as Cordial Spider and Snarky Spider, are executing “rapid, high-impact” extortion attacks against enterprises by abusing single sign-on (SSO) authentication and voice phishing (vishing) within software-as-a-service (SaaS) environments, according to new cybersecurity research.

The groups — also known as BlackFile (Cordial Spider) and O-UNC-025 (Snarky Spider) — carry out data theft and extortion in “hours or days,” leaving minimal forensic traces. Their tactics involve bypassing multi-factor authentication by tricking help desks via phone calls to reset or add SSO tokens.

How the Attacks Unfold

Researchers from a leading threat intelligence firm outlined the attack chain: First, attackers conduct reconnaissance to identify targets’ email addresses and phone numbers. Then, they place vishing calls to the victim’s IT help desk, impersonating an employee requesting an SSO password reset or new device enrollment.

Once granted access, the groups use legitimate credentials to exfiltrate sensitive data from cloud apps like Microsoft 365, Salesforce, or Slack. “They move so fast that traditional detection measures fail to keep up,” said Dr. Lena Hart, principal analyst at CyberThreat Labs. “This is a new breed of SaaS-native extortion that targets the weakest link: human trust.”

Background

SSO abuse has become a favored vector for cybercriminals because it bypasses traditional network defenses. The Cordial Spider group has been active since at least 2022, initially targeting financial services. Snarky Spider emerged in 2023, focusing on technology and healthcare firms. Both groups have been linked to ransomware strains but now prefer pure data theft for extortion, reducing dwell time.

Previous attacks often required weeks of lateral movement; these clusters compress the timeline to as little as 24 hours. “The speed of response is everything,” noted a law enforcement source who requested anonymity. “We see victims paying ransoms before third-party forensics can even begin.”

What This Means for Enterprises

Organizations relying on SSO without robust vishing-aware protocols are vulnerable. Key implications:

• Help desk training: Staff must verify identity through out-of-band channels, not just voice calls.
• SSO logging and alerts: Rapid password resets or token additions should trigger suspicious activity alerts.
• Incident playbooks: Predefined response for “voice-assisted” credential compromise is essential.

“Enterprises must treat vishing as seriously as malware,” said Hart. “Attackers are exploiting the human element, and technological fixes alone won’t stop them.” Read more background on these groups below.

Defensive Measures

The research recommends implementing caller ID verification, mandatory callback to known numbers, and requiring a second approval for critical SSO changes. No single solution is foolproof, but layering these controls can disrupt the attack flow.

Additionally, organizations should monitor logs for unusual SSO token activation from unexpected IPs or geographies. “Every minute counts,” the law enforcement source emphasized. “These groups are built for speed.”

This is a developing story. Check back for updates.