Rapid SaaS Extortion: When Vishing Meets SSO Abuse (Cordial Spider & Snarky Spider)
Has anyone else dug into the recent reports on Cordial Spider (aka BlackFile/CL-CRI-1116) and Snarky Spider? The speed of their operations is genuinely concerning. They aren't just sitting in the network for months; they're getting in via vishing, abusing SSO, and exfiltrating data almost entirely within the SaaS environment to leave minimal traces.
The TTPs here are aggressive: they use social engineering to bypass MFA or harvest session tokens, then pivot through SSO to access sensitive cloud storage. Since they are operating within the 'trusted' SaaS boundary, traditional perimeter defenses often miss the activity.
I've been tuning our detection logic to look for anomalies in SaaS application logs, specifically around rapid mass-downloads or unusual IP geolocation changes associated with SSO authentication events.
If you are using Sentinel or a similar SIEM, you might want to run a hunting query for users authenticating from multiple distinct locations within a short window, specifically targeting SaaS SSO logins:
SigninLogs
| where ResultType == "0"
| where AppDisplayName containsAny ("Salesforce", "Office365", "GoogleWorkspace", "Box")
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, DeviceDetail
| evaluate geoip(IPAddress)
| summarize Count = count(), Countries = dcount(Country) by UserPrincipalName, bin(TimeGenerated, 1h)
| where Count > 5 and Countries > 1
The big question is: How are you handling the vishing vector? Technical controls are one thing, but if they are social-engineering the helpdesk or users directly to reset MFA, how do we effectively stop that without impacting user experience?
Vishing is the blind spot for most orgs. We implemented a strict policy where MFA resets via the Help Desk require a video call verification or an in-person manager sign-off. It slows things down, but we saw a drop in "emergency" reset requests—most of which were likely social engineering tests.
Great query. You might also want to add filters for specific user agents or unusual 'UserAgent' strings. Cordial Spider has been known to script some of the exfiltration using headless browsers after they hijack the session. If you see a login followed immediately by a 'selenium' or headless-chrome UA accessing the SaaS API, burn that account down immediately.
We moved entirely to FIDO2 hardware keys for our admins and privileged SaaS accounts. While not impossible to bypass, it raises the bar significantly. Vishing attacks usually target SMS/TOTP codes. If the attacker can't phish the physical key interaction, their SSO abuse chain breaks at step one.
Speed is the real killer here. Beyond FIDO2, I recommend hunting for 'SSO hopping' in your IdP logs. These actors often enumerate or access multiple SaaS apps rapidly once they bypass MFA. We set up a KQL detection rule to flag users accessing more than five distinct applications within a 10-minute window—something normal users rarely do. It catches that lateral movement before they can finish exfil.
SigninLogs
| where ResultType == 0
| summarize AppCount = dcount(AppDisplayName) by UserPrincipalName, bin(TimeGenerated, 10m)
| where AppCount > 5
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access