Cordial Spider & Snarky Spider: SaaS Extortion without Malware

Just caught the latest intel on Cordial Spider (BlackFile) and Snarky Spider. The shift to "living off the land" strictly within the SaaS tenant is concerning. They aren't dropping malware; they are abusing native collaboration tools to exfiltrate data rapidly after bypassing SSO via vishing.

The "minimal traces" part is the kicker. Since they are interacting via the web UI or Graph API using legitimate credentials, standard EDR is effectively blind. By the time you see the data leaving, it's too late—they are already extorting the victim.

For those running Entra ID (Azure AD) or monitoring SaaS logs, you should be hunting for 'Anomalous Token Usage'. Specifically, look for users accessing the Graph API with unusual User Agents or from impossible travel locations shortly after a help desk ticket was closed (a common vishing vector).

Here is a KQL query to hunt for rapid mass-download behaviors via the Microsoft Graph API, which is a key TTP for these groups:

AuditLogs
| where OperationName == "Download file" or OperationName == "ExportItem"
| where InitiatedBy App contains "Graph Explorer" or InitiatedBy App contains "REST API"
| extend TargetId = tostring(TargetResources[0].id)
| summarize Count = count() by bin(TimeGenerated, 5m), InitiatedBy, TargetId
| where Count > 10
| order by Count desc


I’m also looking at tightening Conditional Access to require 'Compliant Device' or 'Hybrid Azure AD Joined' status for sensitive admin tasks, though that breaks some BYOD workflows.

How is everyone else handling the vishing angle? Are we seeing an uptick in helpdesk spoofing, or is it mostly direct MFA fatigue attacks against users?