Breaking
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately
Latest Threat Intel Zero-Days Data Breaches Analysis
Live threat feed May 19, 2026 | 11:58 UTC
4110 CVEs This Month
6 Actively Exploited
2 Ransomware Activity
18 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Threat Intelligence

Researchers Identify Rapid SaaS Extortion Attacks by Cybercrime Groups Using Vishing and SSO Abuse

Thirumala Rao Padilam Thirumala Rao Padilam May 1, 2026
Researchers Identify Rapid SaaS Extortion Attacks by Cybercrime Groups Using Vishing and SSO Abuse

Cybersecurity researchers have identified two cybercrime groups known as Cordial Spider and Snarky Spider conducting rapid, high-impact attacks focused on SaaS environments. These attacks utilize vishing and single sign-on (SSO) abuse techniques enabling fast data theft and extortion while minimizing observable traces.

What happened

Security researchers reported that the cybercriminal clusters Cordial Spider and Snarky Spider are actively exploiting SaaS platforms to carry out rapid data theft and extortion schemes. These groups operate almost exclusively within SaaS environments, relying heavily on vishing — a form of voice phishing — and abusing SSO mechanisms to gain quick access to target systems. The nature of their operations enables them to execute attacks swiftly and with a low footprint, complicating detection and incident response efforts.

Why it matters

These incidents highlight a shift where criminal actors focus on SaaS platforms and identity systems, leveraging their trusted access to cause significant damage in a short period. The use of vishing combined with SSO abuse represents an evolved threat vector that bypasses traditional network defenses, emphasizing the increasing challenge of securing cloud and identity infrastructures. Organizations relying heavily on SaaS tools must recognize the heightened risks and adapt their security posture accordingly.

What security teams should do

Security teams are advised to refine monitoring practices around SaaS environments and closely scrutinize SSO authentication events for unusual patterns. Employee awareness training on vishing attacks should also be prioritized, as social engineering remains a key initial entry vector. Reviewing and tightening identity and access management policies, especially regarding SSO implementations, can help mitigate the risk of unauthorized access. Investigating and responding promptly to any suspicious access or communication attempts is critical.

Key technical details

The groups Cordial Spider (also known as BlackFile, CL-CRI-1116, O-UNC-045, UNC6671) and Snarky Spider (also referred to as O-UNC-025 and UNC6661) execute attacks characterized by rapid data theft and extortion campaigns. Their method involves vishing to manipulate users into revealing credentials or approving access, coupled with exploiting single sign-on systems to move quickly within SaaS platforms. The attacks leave few forensic traces, highlighting the stealth tactics employed. This combination facilitates nearly confined operation within SaaS environments for high efficiency and evasion.

Affected organizations/products

The attacks target SaaS environments broadly, with observed focus on platforms utilizing SSO for user authentication. Specific organizations or products impacted were not disclosed.

Source attribution

https://thehackernews.com/2026/05/cybercrime-groups-using-vishing-and-sso.html

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!