Back to Intelligence

Cordial Spider & Snarky Spider: SaaS Extortion via Vishing and SSO Abuse — Detection & Response Guide

SA
Security Arsenal Team
May 1, 2026
6 min read

Security Arsenal is tracking active campaigns involving two distinct threat clusters—Cordial Spider (tracked as UNC6671, O-UNC-045) and Snarky Spider (tracked as UNC6661, O-UNC-025). These groups are executing "rapid, high-impact attacks" specifically targeting SaaS environments. Unlike traditional ransomware operators who focus on encryption, these actors specialize in data extortion and rapid theft, operating almost entirely within the bounds of legitimate SaaS applications to evade traditional EDR detection.

The attack chain is swift: it begins with vishing (voice phishing) to bypass MFA controls, followed immediately by the abuse of Single Sign-On (SSO) mechanisms to establish persistence and exfiltrate data. The speed and sophistication of these operations leave minimal forensic traces, demanding a shift from purely file-based detection to behavioral identity monitoring.

Technical Analysis

Affected Platforms & Products:

  • Identity Providers (IdP): Microsoft Entra ID (Azure AD), Okta, Ping Identity, and Google Workspace.
  • Targeted SaaS Assets: Cloud storage (OneDrive, SharePoint, Google Drive), Email (Exchange Online, Gmail), and CRM platforms.

The Attack Chain:

  1. Initial Access (Vishing): Actors call targets posing as IT support. They prompt the user to accept an MFA push notification (MFA Fatigue) or provide a 2FA code over the phone. This bypasses technical controls by exploiting human trust.
  2. SSO Abuse & Persistence: Once authenticated, the actors abuse the federated trust model. They may register new devices or modify SSO settings to ensure continued access even if the user's password is reset.
  3. Privilege Escalation: Using compromised credentials, actors search for or assign administrative roles within the IdP or tenant to facilitate mass data access.
  4. Data Exfiltration: Instead of deploying malware, actors utilize native SaaS APIs (e.g., Microsoft Graph API) or web interfaces to download sensitive data at high speeds.

Exploitation Status:

  • Active Exploitation: Confirmed. These clusters are currently conducting rapid extortion campaigns.
  • ** CVEs:** This campaign does not rely on a specific software CVE (0-day) but rather exploits Identity and Process weaknesses (MFA bypass via social engineering).

Detection & Response

Because Cordial Spider and Snarky Spider operate within legitimate SaaS infrastructure, traditional antivirus signatures are ineffective. Detection relies on identifying anomalies in Identity logs (SignInLogs, AuditLogs) and behavioral baselines.

SIGMA Rules

YAML
---
title: Potential MFA Fatigue Vishing Attack - SaaS
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects potential MFA fatigue attacks (vishing) characterized by multiple failed MFA attempts followed immediately by a success on the same account.
references:
  - https://thehackernews.com/2026/05/cybercrime-groups-using-vishing-and-sso.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.initial_access
  - attack.t1078.004
logsource:
  product: azure
  service: signinlogs
detection:
  selection_failure:
    Status: Failure
    ConditionalAccessStatus: "failure"
    AuthenticationRequirement: "multiFactorAuthentication"
  selection_success:
    Status: Success
  filter:
    UserPrincipalName|startswith: "service_" # Filter out noisy service accounts
  timeframe: 5m
  condition: selection_failure | count(UserPrincipalName) by UserPrincipalName, AppDisplayName > 5 | filter (
    selection_success by UserPrincipalName
  )
falsepositives:
  - Legitimate users forgetting credentials/MFA issues
level: high
---
title: SaaS Admin Role Assignment via Suspicious Location
description: Detects the addition of a user to a privileged administrative role (e.g., Global Admin) from a new or risky location/network often associated with initial compromise.
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
references:
  - https://attack.mitre.org/techniques/T1098/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.persistence
  - attack.t1098.003
logsource:
  product: azure
  service: auditlogs
detection:
  selection:
    Category: 'RoleManagement'
    Operation|contains:
      - 'Add member to role'
      - 'Assign role'
    TargetProperties|contains: 
      - 'Global Administrator'
      - 'User Administrator'
      - 'Exchange Administrator'
  condition: selection
falsepositives:
  - Legitimate administrative delegation by IT staff
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for MFA Fatigue / Vishing Indicators
// Look for users with >5 MFA failures followed by a success within 15 mins
let Threshold = 5;
let TimeWindow = 15m;
SigninLogs
| where ConditionalAccessStatus == "failure" and Status == "Failure"
| where AuthenticationRequirement == "multiFactorAuthentication"
| summarize FailedCount = count(), FailedIPs = make_set(IPAddress), FailureTime = max(TimeGenerated) by UserPrincipalName, AppId
| where FailedCount >= Threshold
| join kind=inner (
    SigninLogs
    | where Status == "Success"
    | summarize SuccessCount = count(), SuccessIPs = make_set(IPAddress), SuccessTime = min(TimeGenerated) by UserPrincipalName, AppId
) on UserPrincipalName, AppId
| where datetime_diff('minute', SuccessTime, FailureTime) <= TimeWindow
| project UserPrincipalName, AppId, FailedCount, FailedIPs, SuccessIPs, FailureTime, SuccessTime
| extend RiskDetails = pack("Failed_IPs", FailedIPs, "Success_IPs", SuccessIPs, "Time_Delta_Min", datetime_diff('minute', SuccessTime, FailureTime))

Velociraptor VQL

VQL — Velociraptor
-- Hunt for PowerShell processes using Exchange Online modules
-- commonly used in SaaS extortion for bulk data export
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "powershell.exe"
  AND (CommandLine =~ "Connect-ExchangeOnline" 
       OR CommandLine =~ "New-MailboxExportRequest" 
       OR CommandLine =~ "Search-Mailbox")

-- Hunt for network connections to known SaaS endpoints
-- initiated by automation tools (PowerShell) potentially downloading data
SELECT Name, Pid, RemoteAddress, RemotePort, State
FROM netstat()
WHERE Name =~ "powershell.exe"
  AND (RemoteAddress =~ "outlook.office365.com" 
       OR RemoteAddress =~ "graph.microsoft.com" 
       OR RemoteAddress =~ "api的保护.microsoft.com")

Remediation Script (PowerShell)

PowerShell
# Script to Audit and Remediate Suspicious Role Assignments
# Requires ExchangeOnlineManagement and Microsoft.Graph modules

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "RoleManagement.Read.Directory", "RoleManagement.ReadWrite.Directory", "AuditLog.Read.All"

# Check for Role Assignments made in the last 24 hours
$Date = (Get-Date).AddDays(-1)
$SuspiciousAssignments = Get-MgDirectoryRole -ExpandProperty Members | 
    Where-Object { $_.Members.AdditionalProperties['createdDateTime'] -gt $Date }

if ($SuspiciousAssignments) {
    Write-Host "[!] WARNING: Found recent role assignments:" -ForegroundColor Red
    $SuspiciousAssignments | Format-List DisplayName, Id
    
    # Option to Revoke (Uncomment to execute)
    # foreach ($assignment in $SuspiciousAssignments) {
    #     Remove-MgDirectoryRoleMember -DirectoryRoleId $assignment.Id -MemberId $assignment.Members.Id
    # }
} else {
    Write-Host "[+] No suspicious role assignments found in the last 24 hours." -ForegroundColor Green
}

# Check for newly created Guest Users (Common backdoor)
$Guests = Get-MgUser -Filter "UserType eq 'Guest'" -All | 
    Where-Object { $_.CreatedDateTime -gt $Date }

if ($Guests) {
    Write-Host "[!] WARNING: Found new Guest Users created in the last 24 hours:" -ForegroundColor Yellow
    $Guests | Select-Object DisplayName, UserPrincipalName, CreatedDateTime
} else {
    Write-Host "[+] No new Guest Users found." -ForegroundColor Green
}

Remediation

  1. Enable Phishing-Resistant MFA: immediately move users targeted by vishing to FIDO2/WebAuthN security keys or Certificate-Based Authentication (CBA). These methods cannot be phished via voice call codes.
  2. Implement Conditional Access Policies:
    • Number Matching: Ensure MFA prompts require number matching to thwart push spamming.
    • Location/Device Trust: Block access to administrative portals from unknown locations or unmanaged devices.
  3. Audit SaaS Consents: Review all OAuth2 grants and application permissions in your Entra ID or Okta tenant. Revoke permissions for non-corporate applications.
  4. Review SSO Configuration: Ensure there are no "backdoor" federation trusts or rogue authentication apps configured in your IdP.
  5. User Awareness Training: Immediately notify your security team and user base about the vishing campaign. Instruct users to never provide MFA codes over the phone.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectioncordial-spidersnarky-spidersaas-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action