Listen to this Post
⚠️ Massive SaaS Credential Theft Campaign Spreads Through AiTM and Vishing Attacks
A growing cybersecurity threat has emerged since October 2025 involving advanced persistent hacking groups known as CORDIAL SPIDER and SNARKY SPIDER. These actors have been targeting SaaS identity providers (IdPs) using highly deceptive methods such as voice phishing (vishing) and adversary-in-the-middle (AiTM) phishing pages. Their main goal is to bypass multi-factor authentication (MFA) protections and gain unauthorized access to enterprise cloud environments. Once inside, attackers are extracting sensitive data from widely used platforms such as SharePoint and Google Workspace. The sophistication of these attacks lies in their ability to intercept authentication flows in real time, effectively neutralizing MFA safeguards that organizations rely on for security. This campaign highlights a dangerous evolution in phishing techniques where attackers no longer simply steal passwords but actively manipulate authentication sessions. Security analysts note that SaaS ecosystems are becoming prime targets due to centralized data storage and widespread enterprise reliance. The rise of AiTM infrastructure combined with human-targeted vishing calls increases success rates significantly. Organizations across multiple sectors are now facing heightened exposure to data theft, credential compromise, and internal network infiltration.
📊 Explosive Growth in Email Threats and QR Code Phishing Attacks
Recent cybersecurity data from Q1 2026 reveals a dramatic 146% surge in QR code-based phishing campaigns, indicating attackers are shifting toward more mobile-friendly deception tactics. Business Email Compromise (BEC) attacks continue to dominate the threat landscape, with an estimated 10.7 million incidents reported during the same period. These attacks often involve impersonation of executives or trusted vendors to manipulate financial transfers or extract sensitive information. Meanwhile, defensive technologies are attempting to keep pace, with Microsoft’s Tycoon2FA disruption campaign reportedly reducing phishing page availability by approximately 15% in March. However, attackers are quickly adapting by rotating infrastructure and deploying new phishing kits. QR code phishing is particularly effective because it bypasses traditional email filtering systems and redirects victims to malicious authentication pages. The combination of social engineering and technical evasion is making email security increasingly complex. Organizations are now forced to rethink endpoint protection strategies as attackers exploit both human behavior and authentication gaps.
What Undercode Say:
🧠 Evolution of Threat Actor Strategy
The shift from simple credential phishing to AiTM-based interception signals a major evolution in cybercrime tactics. Attack groups are no longer relying on stolen passwords alone but are actively controlling authentication sessions in real time. This makes traditional MFA alerts significantly less effective when attackers can proxy login attempts instantly.
☎️ Vishing as a High-Impact Entry Vector
Voice phishing is becoming a critical component of modern SaaS attacks. By directly manipulating employees through phone calls, attackers bypass technical controls entirely and exploit trust-based decision-making. This human-centric weakness remains one of the most reliable entry points for advanced persistent groups.
☁️ SaaS Platforms as High-Value Targets
Cloud productivity ecosystems such as SharePoint and Google Workspace are increasingly attractive due to centralized data storage. Once compromised, attackers gain access to emails, documents, and internal communications, enabling deeper lateral movement within organizations.
🧩 MFA Bypass Reality Check
Although MFA is still widely recommended, AiTM techniques demonstrate that it is no longer a standalone defense. Attackers can relay authentication tokens in real time, effectively neutralizing second-factor protections without triggering traditional alerts.
📉 Defensive Measures Struggling to Scale
Even with interventions like Microsoft’s Tycoon2FA disruption, the overall threat volume continues to grow. A 15% reduction in phishing pages is offset by rapid attacker adaptation and infrastructure regeneration across multiple domains.
📲 QR Code Phishing as a Mobile Weapon
The rise of QR-based phishing campaigns reflects a shift toward mobile-first attack strategies. Users scanning codes outside secure environments often land on cloned login pages, bypassing desktop security tools entirely.
💰 Business Email Compromise Expansion
With over 10.7 million BEC incidents recorded, financial manipulation through email impersonation remains one of the most profitable cybercrime models. Attackers increasingly combine social engineering with stolen credentials for higher success rates.
🔄 Attack Automation and Scaling Trends
Modern threat groups are leveraging automation to scale phishing operations globally. This allows simultaneous targeting of multiple organizations while dynamically rotating infrastructure to avoid detection.
🔍 Fact Checker Results
✔️ Verified Threat Actor Activity
Reports confirm the emergence of advanced phishing groups using AiTM and vishing tactics to target SaaS environments and bypass MFA protections.
✔️ Confirmed Surge in QR Phishing
Cybersecurity monitoring indicates a significant rise in QR code-based phishing attacks, aligning with mobile usage trends and email filter evasion techniques.
✔️ Partial Mitigation Success
Microsoft’s Tycoon2FA disruption has been shown to reduce phishing infrastructure temporarily, though attackers continue adapting rapidly.
📈 Prediction
🔮 Escalation Toward Fully Automated AiTM Ecosystems
Cybercriminal groups are expected to increasingly automate AiTM phishing frameworks, reducing human effort while increasing attack scale and precision. MFA bypass techniques will likely become more accessible as phishing kits evolve into plug-and-play SaaS-style tools, driving a new wave of enterprise cloud compromises in the coming months.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
