Listen to this Post
Introduction
Cybercriminals are changing their tactics faster than many organizations can adapt. Instead of attacking laptops, desktops, or on-premise servers, modern threat actors are now focusing on Software-as-a-Service (SaaS) platforms where valuable business data is stored every day. Services such as SharePoint, HubSpot, and Google Workspace have become prime targets because they contain documents, contracts, emails, credentials, and customer information.
Recent intelligence reports identify two active threat groups, CORDIAL SPIDER and SNARKY SPIDER, as key players in this shift. These attackers specialize in high-speed intrusions, data theft, and extortion campaigns while avoiding traditional endpoint detection systems. Their methods rely on abusing trusted cloud ecosystems rather than infecting devices with malware. This creates a dangerous challenge for companies that still depend heavily on old security models.
Attackers Move Directly Into Trusted SaaS Environments
Traditional cybersecurity tools often focus on protecting endpoints such as employee computers. However, attackers now realize that compromising one user account can unlock access to multiple connected cloud services.
Instead of deploying malware, threat actors gain access through legitimate login systems. Once inside, they move through SaaS environments quickly and quietly. Because they operate through authorized platforms, many security alerts never trigger.
Platforms like SharePoint hold internal documents, strategic files, and confidential reports. HubSpot may contain customer pipelines, sales data, and communication history. Google Workspace often stores email, calendars, documents, spreadsheets, and shared drives. In a single successful compromise, attackers can access enormous amounts of valuable information.
The Rise of Voice Phishing and AiTM Attacks
The attack chain usually starts with voice phishing, also known as vishing. Criminals impersonate internal IT staff and contact employees with convincing stories about urgent account issues, password resets, or mandatory security updates.
Victims are instructed to visit fake login pages designed to look identical to legitimate company single sign-on portals. These pages are powered by Adversary-in-the-Middle (AiTM) phishing frameworks.
When users enter their credentials, attackers instantly capture usernames, passwords, and live session tokens. Because the fake site forwards the login request to the real service in real time, victims often see a normal login process and suspect nothing.
This technique is especially dangerous because stolen session tokens can bypass password protections and sometimes even defeat weaker forms of multifactor authentication.
Lateral Movement Through Identity Providers
Once attackers gain access to a central identity provider, they can pivot across connected services without hacking each platform individually.
Modern organizations often use one login system to connect multiple applications. That convenience becomes a major weakness when a single account is compromised.
With one successful breach, attackers may gain access to cloud storage, CRM systems, collaboration platforms, internal portals, and communication tools. This reduces the time needed for large-scale compromise and increases the damage potential.
MFA Manipulation for Long-Term Access
After entering the environment, both threat groups reportedly move fast to secure persistence.
They remove legitimate multifactor authentication devices already tied to user accounts and replace them with attacker-controlled devices. This means even if the victim changes their password later, the attacker may still retain access.
SNARKY SPIDER reportedly uses Genymobile Android emulators, while CORDIAL SPIDER uses a mix of mobile devices and Windows-based emulators. These tools help them simulate trusted authentication devices remotely.
Hiding the Evidence
One of the most alarming parts of these campaigns is how carefully attackers hide their presence.
They reportedly delete security notification emails warning users about suspicious logins or MFA changes. They also create malicious inbox rules that automatically remove messages containing terms such as:
Alert
Incident
MFA changes
Security warning
This tactic delays detection and gives attackers more time to steal data.
Rapid Data Theft Operations
Once persistence is established, the attackers begin targeted searches for valuable information. Instead of randomly downloading everything, they focus on high-value assets such as:
Confidential business documents
Employee Social Security numbers
Vendor and financial contracts
VPN credentials
Internal communications
Reports suggest that in many cases, SNARKY SPIDER begins exfiltrating data within one hour of the initial compromise.
That speed demonstrates a highly organized playbook with predefined objectives.
Why These Attacks Succeed
Many of these incidents do not rely on software flaws. Instead, they exploit weak security configurations, including:
Overly broad user permissions
Weak MFA implementations
Lack of phishing-resistant authentication
Poor monitoring of login behavior
Excessive trust between connected cloud services
This means companies may be technically patched yet still vulnerable.
Proxy Networks and Residential IP Abuse
To avoid detection, attackers route their traffic through VPN services and residential proxy networks. This makes malicious access appear as if it comes from ordinary home internet users.
Traditional defenses that block suspicious countries or known malicious IP addresses become less effective when attackers blend into normal residential traffic patterns.
This is one reason many organizations fail to detect the breach until after data theft has already occurred.
What Undercode Say:
The shift toward SaaS-focused attacks marks one of the biggest changes in modern cybercrime. For years, organizations invested heavily in endpoint antivirus, device management, and firewall protection. While those controls still matter, the real battlefield has moved into identity systems and cloud applications.
Attackers understand that compromising a trusted account is often more powerful than infecting a device. It gives immediate access to real data through legitimate channels. There is less need for ransomware encryption when silent theft and extortion can generate profit faster.
The use of voice phishing also reveals an uncomfortable truth: human trust remains one of the easiest attack surfaces. Employees are more likely to respond to a calm voice claiming to be IT support than to a suspicious email link.
AiTM phishing kits are especially dangerous because they defeat outdated assumptions about MFA. Many businesses incorrectly believe MFA alone solves phishing risk. In reality, token theft can still bypass certain MFA methods if session security is weak.
Another major lesson is that alerting alone is not enough. If attackers can delete warning emails, then email-based notifications become unreliable as the primary defense signal.
Organizations should move toward behavioral detection. That means spotting impossible travel logins, sudden MFA device changes, mass downloads, unusual search activity, and token reuse anomalies.
Least-privilege access is also critical. If one compromised user can access everything, the environment is already too open.
Security awareness training must evolve as well. Employees should be trained for live social engineering calls, not only suspicious emails.
Cloud logging retention, identity provider audits, and session revocation procedures should be regularly tested. Incident response plans must assume that SaaS compromise can happen silently.
The future of cybersecurity is identity-first security. Whoever controls the account often controls the company’s data.
Fact Checker Results
✅ SaaS platforms such as Google Workspace and SharePoint are increasingly targeted because they store valuable business data.
✅ AiTM phishing is a real and growing threat capable of stealing credentials and session tokens.
✅ Misconfigurations and weak identity security often create larger risks than unpatched software vulnerabilities.
Prediction
🔮 Over the next two years, identity-based attacks against SaaS platforms will grow faster than traditional ransomware incidents.
🔮 More companies will adopt phishing-resistant MFA such as passkeys and hardware keys.
🔮 Security teams will increasingly monitor user behavior inside cloud apps rather than focusing only on device protection.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
