🔑 IAM

Cordial Spider and Snarky Spider Drive Multi-Sector SaaS Account Takeover via Vishing and SSO AiTM Attacks

Two newly-designated threat actor clusters — Cordial Spider (UNC6671) and Snarky Spider (UNC6661) — are conducting coordinated vishing and adversary-in-the-middle SSO phishing campaigns against enterprise organisations across finance, technology, and logistics sectors, bypassing MFA to harvest persistent OAuth tokens. Organisations should review SSO conditional access policies and verify help desk vishing verification procedures.

4 min read
#vishing#aitm#sso#mfa-bypass#oauth#cloud-identity#threat-intelligence

Two threat actor clusters newly designated by CrowdStrike intelligence — Cordial Spider (tracked as UNC6671) and Snarky Spider (UNC6661) — are operating coordinated campaigns that combine vishing (voice phishing against help desks) with adversary-in-the-middle (AiTM) SSO proxy attacks to bypass multi-factor authentication and establish persistent access to enterprise Microsoft 365, Okta, and Entra ID environments. The campaign has been active across finance, technology, and logistics organisations since late February, with confirmed victim count in the dozens across Europe and North America.

Attack Chain

The Cordial Spider / Snarky Spider kill chain has two distinct initial access paths that frequently complement each other:

Path A — Vishing against IT help desk: The attacker calls the target organisation’s IT help desk impersonating an employee, typically claiming to be locked out of their account, requesting an MFA reset. The caller supplies enough personal information about the impersonated employee (name, employee ID, department, manager name) to pass basic identity verification — information gathered from LinkedIn, corporate directories, and prior data breach exposures. Once the help desk resets or adds an MFA device, the attacker has clean access.

Path B — SSO AiTM phishing: The attacker sends a phishing email containing a link to an AiTM proxy page that renders the legitimate SSO login page in real-time. When the victim enters their credentials and completes MFA, the proxy intercepts the post-authentication session token, which the attacker captures and replays to establish their own authenticated session. The victim sees a completed login; the attacker simultaneously holds a valid session token. This technique bypasses all forms of push-based and TOTP-based MFA — only phishing-resistant authentication (FIDO2/passkeys) is resistant to AiTM.

The two actors are assessed to share tooling infrastructure and may be affiliated affiliates within the same criminal operation, operating different phases of the same campaign against overlapping target sets.

Why SSO Makes This Worse

Both attack paths target the SSO layer specifically because it delivers access to all connected applications simultaneously. A successfully compromised Okta or Entra ID SSO session provides access to every application in the organisation’s SSO federation — email, file storage, HR systems, ERP, code repositories, and SaaS applications — with a single stolen token. This is the economy of scale that makes SSO environments the highest-value target for credential theft operations.

The AiTM proxy technique in particular is highly effective against enterprise SSO because organisations have trained users to follow the flow of a login redirect — the phishing page is not a clone, it is a real proxy of the actual SSO page, showing the organisation’s branding and domain with the only discrepancy being a slightly different domain in the browser bar that users frequently miss.

Post-Compromise Activity

Following initial access, both actor clusters exhibit consistent post-compromise behaviour:

  • Immediate email rule creation to forward correspondence to external addresses and delete security notification emails from the mailbox
  • OAuth application registration to establish long-term persistent access independent of the initial stolen session
  • Enumeration of SharePoint/OneDrive for documents containing credentials, contracts, financial data, and M&A materials
  • Lateral movement to other cloud applications via the established SSO session
  • In several confirmed incidents: BEC (business email compromise) fraud initiated within hours of account access

Enforce phishing-resistant MFA at SSO: Mandate FIDO2 hardware keys or passkeys for all users authenticating to SSO providers. AiTM proxies cannot intercept FIDO2/WebAuthn challenges because the cryptographic binding is to the legitimate origin domain. This is the only MFA control that eliminates the AiTM vector.

Strengthen help desk verification: Require video call or manager authorisation for any MFA device resets or account recovery requests. Remove knowledge-based authentication questions — any information an employee might know is also publicly available or breach-exposed. This is the specific vector Cordial Spider uses for help desk social engineering.

Enable conditional access restrictions on OAuth app consent: Any newly-registered OAuth application attempting to access user data should require administrator approval. Attackers register persistent OAuth apps to maintain access — blocking unapproved app registrations removes this persistence mechanism.

Monitor for anomalous SSO session characteristics: New device logins from unrecognised IP ranges, rapid application access enumeration after login, and email rule creation within minutes of a login event are reliable indicators of compromised SSO accounts. Configure SIEM rules or use your identity provider’s risky sign-in alerts.

Educate help desk staff specifically about vishing: The help desk social engineering vector requires human intervention to succeed. Tabletop exercises simulating vishing scenarios — including callers with correct employee details — should be part of security awareness programmes for IT support staff.

Share this article