Cybercrime Groups Exploit SaaS Trust to Launch Global Extortion Campaigns
AI-generated from multiple sources. Verify before acting on this reporting.
Two sophisticated cybercrime groups, identified as Cordial Spider and Snarky Spider, are conducting coordinated attacks against global retail and hospitality sectors by exploiting trusted software-as-a-service (SaaS) environments. The groups are leveraging voice phishing and single sign-on abuse to steal credentials, enabling rapid data theft and extortion campaigns.
Cordial Spider, also known by aliases including BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671, operates alongside Snarky Spider, which uses the identifiers O-UNC-025 and UNC6661. Both groups target identity provider trust relationships to bypass security controls. By compromising legitimate SaaS accounts, the attackers gain authorized access to sensitive corporate networks, allowing them to exfiltrate data without triggering traditional intrusion detection systems.
The attacks rely heavily on social engineering tactics, specifically voice phishing, to trick employees into revealing login credentials. Once initial access is achieved, the groups abuse single sign-on protocols to pivot across multiple systems. This method allows attackers to move quickly through an organization's digital infrastructure, stealing data and deploying ransomware or demanding payment for the return of compromised information.
Security researchers have identified the use of residential proxies by both groups to conceal their geographic locations. This obfuscation makes it difficult for law enforcement and corporate security teams to trace the origin of the attacks. The campaigns have been observed globally, with a particular focus on the retail and hospitality industries, which often rely heavily on interconnected SaaS platforms for operations.
The exploitation of trusted environments represents a significant shift in cybercriminal tactics. Rather than attempting to breach external firewalls, these groups focus on compromising the identity layer, which is often the weakest link in an organization's security posture. The speed of the attacks allows the groups to maximize data theft before defenders can respond, increasing the leverage for extortion demands.
As of May 1, 2026, the full extent of the damage remains unclear. While specific incidents have been documented, the global nature of the campaigns suggests that many organizations may have been targeted without detection. The use of residential proxies and the abuse of legitimate authentication mechanisms complicate efforts to attribute the attacks to specific individuals or locations.
Industry experts warn that the reliance on single sign-on and SaaS environments, while efficient for business operations, creates a concentrated risk point. Organizations are urged to implement additional verification steps and monitor for unusual login activity. However, the evolving nature of these attacks means that defensive measures must adapt continuously.
The question remains whether these groups are operating independently or as part of a larger, coordinated criminal network. The similar tactics and targets suggest a possible relationship, but no definitive link has been established. As the campaigns continue, the potential for widespread data breaches and financial loss grows, posing a significant challenge for global cybersecurity efforts.