Threat actors are rapidly shifting their intrusion tradecraft toward high-speed, SaaS-centric attacks that completely bypass traditional endpoint security. <\/p>\n
Since October 2025, security researchers have tracked two distinct adversaries, identified as CORDIAL SPIDER and SNARKY SPIDER, conducting aggressive data theft campaigns. <\/p>\n
These groups operate almost exclusively within trusted SaaS environments such as SharePoint, HubSpot, and Google Workspace <\/a>to accelerate their time to impact. <\/p>\n By leveraging single sign-on (SSO) integrations, they minimize their footprint and create significant visibility challenges for enterprise defenders.<\/p>\n The adversaries initiate their attacks using targeted voice phishing (vishing) campaigns. They impersonate corporate IT support teams to create a false sense of urgency around security updates or account issues. <\/p>\n This social engineering tactic directs employees to fraudulent adversary-in-the-middle<\/a> (AiTM) phishing pages that closely mimic legitimate corporate login portals, using deceptive domains like company-sso[.]com.<\/p>\n When victims enter their credentials, the attackers capture authentication data and active session tokens in real time. <\/p>\n Because the proxy relays this authentication directly to the legitimate service, users experience a normal login and remain entirely unaware of the compromise. <\/p>\n These stolen credentials grant access to the organization\u2019s identity provider (IdP), providing a single point of entry into multiple SaaS applications. <\/p>\n By abusing the trust relationship between the IdP and connected services, the attackers move laterally across the victim\u2019s entire cloud ecosystem.<\/p>\n Once the attackers secure initial access, they immediately establish persistence by manipulating multifactor authentication (MFA) <\/a>settings. <\/p>\n They typically remove existing MFA devices and register their own hardware to the compromised accounts while appearing to authenticate from a newly trusted device.<\/p>\n With secure and stealthy access established, the threat actors execute targeted searches across connected SaaS platforms to locate high-value information. <\/p>\n They frequently query terms such as confidential, SSN, contracts, and VPN to prioritize business-critical documents and infrastructure credentials.<\/p>\n Following this reconnaissance phase, the adversaries move quickly to aggregate and download massive datasets. <\/p>\n In many documented incidents, SNARKY SPIDER begins high-volume data exfiltration <\/a>within an hour of the initial compromise. <\/p>\n These rapid breaches exploit customer misconfigurations, such as missing phishing-resistant MFA, rather than underlying vulnerabilities in the SaaS platforms themselves.<\/p>\n To obscure their geographic locations and evade IP-based detection, both threat groups route their traffic through commercial VPNs and residential proxy networks. <\/p>\n Providers like Mullvad, Oxylabs, and NetNut assign real home-user IP addresses to attackers, making malicious activity appear as benign residential traffic.<\/p>\n Defending against these sophisticated techniques requires comprehensive SaaS security posture management and advanced anomaly detection. <\/p>\n Platforms like CrowdStrike Falcon Shield address these visibility gaps<\/a> by applying deep SaaS expertise to analyze authentication flows and user behaviors. <\/p>\n By combining entity-aware statistical models with new-age network intelligence, security teams can reliably identify anonymization services, cluster adversarial infrastructure, and disrupt these high-speed cloud threats.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInitial Access via Vishing<\/strong><\/h2>\n
![\"\u00a0This](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-8-1024x877.png?resize=1024%2C877&ssl=1\")
![\"This](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-7-1024x828.png?resize=1024%2C828&ssl=1\")
\n
Rapid Data Exfiltration<\/strong><\/h2>\n
![\"SNARKY](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-6-1024x358.png?resize=1024%2C358&ssl=1\")
![\"\u00a0Falcon](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-5-1024x795.png?resize=1024%2C795&ssl=1\")