"By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders," CrowdStrike's Counter Adversary Operations warned — a crisp summary of an attack pattern now being seen across multiple corners of the cloud economy.
CrowdStrike: vishing to SSO-themed adversary-in-the-middle pages
CrowdStrike describes two clusters of activity in which attackers use voice phishing (vishing) to steer users to malicious, single-sign-on (SSO)-themed adversary-in-the-middle (AiTM) pages. The AiTM pages capture authentication data and allow the adversaries to pivot "directly into SSO-integrated SaaS applications," according to the firm's report. By confining activity inside trusted SaaS environments, CrowdStrike says the groups leave a minimal forensic footprint and shorten the time between initial contact and operational impact.
Cordial Spider and Snarky Spider: names, timing, and links to The Com
The clusters are named Cordial Spider (also tracked as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (also O-UNC-025 and UNC6661). Both have been assessed active since at least October 2025. Mandiant, in a January 2026 report, tied the two clusters to an expansion of extortion-style activity consistent with tactics used by the ShinyHunters group, noting attackers impersonate IT staff on calls to obtain credentials and MFA codes by directing victims to phishing pages.
Separately, Palo Alto Networks Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) recently assessed — "as recently as last week" in the published account — that the actors behind CL-CRI-1116 are most likely associated with the e-crime ecosystem known as The Com.
Tactics observed: MFA bypass, device registration, inbox rule suppression, LotL, and proxies
Observed intrusions follow a compact sequence: attackers use vishing to obtain credentials and MFA codes; they then register a new device to bypass MFA while removing preexisting registered devices. To suppress alerts, adversaries configure inbox rules that automatically delete automated messages about unauthorized device registrations.
Unit 42 and RH-ISAC added that intrusions "primarily rely on living-off-the-land (LotL) techniques" and make use of residential proxies to hide geographic origin and evade basic IP-reputation filters. After initial access, threat actors scrape internal employee directories to socially engineer their way toward high-privileged accounts.
Targets and data flows: IdP abuse and SaaS-wide lateral movement
Once attackers gain elevated credentials, they search SaaS environments for high-value files and business-critical reports in Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, then exfiltrate selected data to infrastructure they control. CrowdStrike highlights a critical facilitator: in many observed cases, stolen credentials grant access to the organization's identity provider (IdP).
Access to the IdP provides "a single point of entry into multiple SaaS applications," CrowdStrike notes. By "abusing the trust relationship between the IdP and connected services," the adversaries can bypass compromising each SaaS app individually and instead move laterally across an organization's entire SaaS estate with a single authenticated session.
What this means for technologists, retail & hospitality organizations, and end users
- Technologists and security teams: Watch for the sequence described by CrowdStrike and Unit 42 — vishing leading to AiTM SSO pages, device re-registration events paired with deleted alert emails, and lateral movement via an IdP. The actors' use of LotL techniques and residential proxies complicates detection at network and host levels.
- Retail and hospitality organizations: Unit 42 and RH-ISAC report that CL-CRI-1116 has "been actively targeting the retail and hospitality space since February 2026," specifically leveraging vishing impersonations of IT help desk staff with phishing login sites. These sectors should note the pattern of social-engineered escalation to high-privilege accounts and targeted searches for business-critical reports.
- End users and employees: Mandiant and CrowdStrike describe a recurring social-engineering tactic: attackers impersonate IT staff by phone to obtain credentials and MFA codes, then send phishing links. Any unexpected request to enter credentials or MFA codes on SSO-themed pages should be treated with caution.
The combined picture from CrowdStrike, Mandiant, Unit 42 and RH-ISAC is of agile, narrowly focused operations that rely on social engineering, IdP abuse, and the cover of trusted SaaS services. For defenders, the striking lesson is procedural rather than technological: adversaries are exploiting the human and identity seams inside SaaS estates, not trying to wrestle down each application one by one. The course of the next incidents will show whether detection and response can catch up to the speed and precision these groups are now demonstrating.
