Cybersecurity researchers are sounding the alarm about two cybercrime groups carrying out "rapid, high-impact attacks" almost entirely within SaaS environments, leaving minimal traces. These groups, **Cordial Spider** (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and **Snarky Spider** (aka O-UNC-025 and UNC6661), are known for high-speed data theft and extortion campaigns with similar operational patterns. Both groups have been active since at least October 2025, with **Snarky Spider**, a native English-speaking crew, linked to the e-crime ecosystem known as The Com. ### Vishing and AiTM Attacks According to a report by **CrowdStrike**'s Counter Adversary Operations, "In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications." "By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders." ### Ties to ShinyHunters A January 2026 report by **Google**-owned **Mandiant** revealed that these clusters represent an expansion in threat activity consistent with extortion attacks by the **ShinyHunters** group. This includes impersonating IT staff to deceive victims into providing credentials and multi-factor authentication (MFA) codes through phishing pages.  _Snarky Spider begins exfiltration in under an hour_ ### Targeting Retail and Hospitality Last week, **Palo Alto Networks** Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) assessed that the attackers behind CL-CRI-1116 are likely associated with The Com. These intrusions primarily use living-off-the-land (LotL) techniques and residential proxies to conceal their location and bypass IP-based reputation filters. Researchers Lee Clark, Matt Brady, and Cuong Dinh stated, "CL-CRI-1116 activity has been actively targeting the retail and hospitality space since February 2026, specifically leveraging vishing attacks impersonating IT help desk personnel in combination with phishing login sites to steal credentials." ### Bypassing MFA and Targeting High-Privilege Accounts The groups register new devices to bypass MFA, removing existing devices beforehand, and suppress automated email notifications related to unauthorized device registration by configuring inbox rules to delete such messages. The next step involves targeting high-privileged accounts through social engineering, scraping internal employee directories. Once they gain elevated access, the adversaries target SaaS environments to find high-value files and business-critical reports in **Google Workspace**, **HubSpot**, **Microsoft SharePoint**, and **Salesforce**, exfiltrating data to their infrastructure. ### Abusing Trust Relationships "In most observed cases, these credentials grant access to the organization's identity provider (IdP), providing a single point of entry into multiple SaaS applications," **CrowdStrike** said. "By abusing the trust relationship between the IdP and connected services, the adversaries bypass the need to compromise individual SaaS apps and instead move laterally across the victim's entire SaaS ecosystem with a single authenticated session."