AiTM Phishing Attacks Target SharePoint, HubSpot, Google

Threat actors are rapidly shifting their intrusion tradecraft. Their evolving tactics now favor high-speed, SaaS-centric attacks designed to completely bypass traditional endpoint security.

Since October 2025, security researchers have tracked two distinct adversaries, identified as CORDIAL SPIDER and SNARKY SPIDER, conducting aggressive data theft campaigns.

These groups operate almost exclusively within trusted SaaS environments such as SharePoint, HubSpot, and Google Workspace to accelerate their time to impact.

By leveraging single sign-on (SSO) integrations, they minimize their footprint and create significant visibility challenges for enterprise defenders.

Initial Access via Vishing

The adversaries initiate their attacks using targeted voice phishing (vishing) campaigns. They impersonate corporate IT support teams to create a false sense of urgency around security updates or account issues.

This social engineering tactic directs employees to fraudulent adversary-in-the-middle (AiTM) phishing pages that closely mimic legitimate corporate login portals, using deceptive domains like company-sso[.]com.

When victims enter their credentials, the attackers capture authentication data and active session tokens in real time.

Because the proxy relays this authentication directly to the legitimate service, users experience a normal login and remain entirely unaware of the compromise.

These stolen credentials grant access to the organization’s identity provider (IdP), providing a single point of entry into multiple SaaS applications.

By abusing the trust relationship between the IdP and connected services, the attackers move laterally across the victim’s entire cloud ecosystem.

Once the attackers secure initial access, they immediately establish persistence by manipulating multifactor authentication (MFA) settings.

They typically remove existing MFA devices and register their own hardware to the compromised accounts while appearing to authenticate from a newly trusted device.

• SNARKY SPIDER almost exclusively enrolls Genymobile Android emulators to manage connected devices across different operating systems.
• CORDIAL SPIDER uses a broader range of mobile devices and Windows Quick Emulators (QEMU) for its authentication needs.
• Threat actors often register their malicious devices to long-standing accounts where MFA had not previously been enabled.
• Both groups systematically delete automated security emails from the victim’s inbox to hide unauthorized device registrations.
• Attackers deploy automated inbox rules to instantly filter messages containing keywords such as alert, incident, or MFA.

Rapid Data Exfiltration

With secure and stealthy access established, the threat actors execute targeted searches across connected SaaS platforms to locate high-value information.

They frequently query terms such as confidential, SSN, contracts, and VPN to prioritize business-critical documents and infrastructure credentials.

Following this reconnaissance phase, the adversaries move quickly to aggregate and download massive datasets.

In many documented incidents, SNARKY SPIDER begins high-volume data exfiltration within an hour of the initial compromise.

These rapid breaches exploit customer misconfigurations, such as missing phishing-resistant MFA, rather than underlying vulnerabilities in the SaaS platforms themselves.

To obscure their geographic locations and evade IP-based detection, both threat groups route their traffic through commercial VPNs and residential proxy networks.

Providers like Mullvad, Oxylabs, and NetNut assign real home-user IP addresses to attackers, making malicious activity appear as benign residential traffic.

Defending against these sophisticated techniques requires comprehensive SaaS security posture management and advanced anomaly detection.

Platforms like CrowdStrike Falcon Shield address these visibility gaps by applying deep SaaS expertise to analyze authentication flows and user behaviors.

By combining entity-aware statistical models with new-age network intelligence, security teams can reliably identify anonymization services, cluster adversarial infrastructure, and disrupt these high-speed cloud threats.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.