Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
Home/CyberSecurity News/AiTM Phishing Attacks Target Microsoft 365, HubSpot, and Google Workspace
CyberSecurity News

AiTM Phishing Attacks Target Microsoft 365, HubSpot, and Google Workspace

Key Takeaways Two distinct threat groups, CORDIAL SPIDER and SNARKY SPIDER, are executing advanced adversary-in-the-middle (AiTM) phishing campaigns. These attacks specifically target major SaaS...

Jennifer sherman
Jennifer sherman
May 2, 2026 4 Min Read
59 0

Key Takeaways

  • Two distinct threat groups, CORDIAL SPIDER and SNARKY SPIDER, are executing advanced adversary-in-the-middle (AiTM) phishing campaigns.
  • These attacks specifically target major SaaS platforms including Microsoft 365, HubSpot, and Google Workspace.
  • Initial access is gained via vishing, followed by real-time credential and session token theft, enabling rapid data exfiltration.
  • Attackers establish persistence by manipulating multi-factor authentication (MFA) settings and deleting security alerts.
  • The effectiveness of these attacks often stems from customer misconfigurations, particularly the absence of phishing-resistant MFA, rather than inherent SaaS vulnerabilities.

Cyber adversaries are rapidly evolving their attack methodologies, increasingly focusing on high-speed, SaaS-centric intrusions designed to bypass conventional endpoint security measures. This strategic shift facilitates quicker compromise and broader impact within enterprise environments.

Table Of Content

  • Key Takeaways
  • Initial Access via Vishing
  • Establishing Persistence and Evading Detection
  • Rapid Data Exfiltration
  • What You Should Do

Since October 2025, security researchers have been tracking the activities of two distinct threat actors, dubbed CORDIAL SPIDER and SNARKY SPIDER. These groups are engaged in aggressive data theft operations, primarily targeting trusted Software-as-a-Service (SaaS) ecosystems.

Their operational focus almost exclusively lies within platforms such as SharePoint, HubSpot, and Google Workspace. By leveraging existing single sign-on (SSO) integrations, these adversaries minimize their digital footprint, creating significant challenges for organizations attempting to detect and defend against their activities.

Initial Access via Vishing

The entry point for these sophisticated attacks is typically through targeted voice phishing (vishing) campaigns. Attackers impersonate IT support personnel, generating a fabricated sense of urgency around issues like security updates or account problems. This social engineering tactic directs unsuspecting employees to fraudulent adversary-in-the-middle (AiTM) phishing sites.

These deceptive pages are meticulously crafted to mimic legitimate corporate login portals, often using convincing but fraudulent domains such as company-sso[.]com. When victims attempt to log in, the AiTM proxy intercepts their authentication data and active session tokens in real time.

Crucially, the proxy then relays these captured credentials to the legitimate service, allowing the user to complete their login as normal. This seamless experience ensures the victim remains unaware that their credentials and session tokens have been compromised. The stolen credentials provide direct access to the organization’s identity provider (IdP), which then serves as a single gateway into numerous connected SaaS applications.

By exploiting the inherent trust relationship between the IdP and various linked services, the attackers can move laterally across the victim’s entire cloud infrastructure without further authentication challenges.

Establishing Persistence and Evading Detection

Upon gaining initial access, the attackers immediately prioritize establishing persistence within the compromised environment. A primary method involves manipulating multi-factor authentication (MFA) settings. They typically remove any existing legitimate MFA devices associated with the account and register their own hardware, often appearing as a newly trusted device.

  • SNARKY SPIDER predominantly registers Genymobile Android emulators to manage connected devices across different operating systems.
  • CORDIAL SPIDER employs a more diverse range of mobile devices and utilizes Windows Quick Emulators (QEMU) for its authentication needs.
  • A common tactic for both groups involves registering their malicious devices to long-standing accounts where MFA had not been previously enabled, exploiting a weaker security posture.
  • To maintain stealth, both threat groups systematically delete automated security-related emails from the victim’s inbox.
  • Attackers often deploy automated inbox rules designed to instantly filter messages containing keywords such as “alert,” “incident,” or “MFA,” preventing victims from noticing unauthorized activity.

Rapid Data Exfiltration

With secure and covert access firmly established, the threat actors proceed to conduct targeted reconnaissance across the connected SaaS platforms to pinpoint high-value information. They frequently use specific search terms like “confidential,” “SSN,” “contracts,” and “VPN” to prioritize the retrieval of business-critical documents and infrastructure credentials.

Following this focused reconnaissance, the adversaries move swiftly to aggregate and download substantial volumes of data. In numerous documented incidents, SNARKY SPIDER has initiated high-volume data exfiltration within an hour of the initial compromise. These rapid breaches often exploit customer misconfigurations, such as the absence of phishing-resistant MFA, rather than inherent vulnerabilities within the SaaS platforms themselves.

To obscure their true geographic locations and circumvent IP-based detection mechanisms, both threat groups funnel their network traffic through commercial VPNs and residential proxy networks. Services from providers like Mullvad, Oxylabs, and NetNut assign real home-user IP addresses to the attackers, making their malicious activities appear as benign residential network traffic, further complicating detection.

Effectively defending against these sophisticated techniques necessitates a comprehensive SaaS security posture management strategy and advanced anomaly detection capabilities. Platforms such as CrowdStrike Falcon Shield are designed to address these visibility gaps by applying deep SaaS expertise to analyze authentication flows and user behaviors. By combining entity-aware statistical models with cutting-edge network intelligence, security teams can reliably identify anonymization services, cluster adversarial infrastructure, and disrupt these high-speed cloud threats.

What You Should Do

  • Implement phishing-resistant MFA (e.g., FIDO2 security keys) across all accounts, especially for administrative and high-privilege users.
  • Regularly audit and review MFA device registrations for all user accounts, promptly removing any unauthorized or unknown devices.
  • Educate employees on the dangers of vishing and AiTM phishing, emphasizing vigilance against urgent requests for credentials or security updates over the phone.
  • Deploy advanced SaaS security posture management (SSPM) tools to gain visibility into cloud environments and detect anomalous user behavior and authentication patterns.
  • Monitor for unusual email forwarding rules or inbox alterations that could indicate an attacker attempting to hide their activity.
  • Enforce strict access controls and the principle of least privilege for all SaaS applications.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitphishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Facebook Phishing Campaign Leverages Google AppSheet, Netlify, Telegram

Next Post

Critical Exim Mail Server Vulnerabilities Let Attackers Crash Systems

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us