Security researchers have identified two sophisticated threat groups, tracked as CORDIAL SPIDER and SNARKY SPIDER, conducting aggressive Adversary-in-the-Middle (AiTM) phishing campaigns against enterprise organizations. Operating since October 2025, these actors have stolen vast quantities of sensitive data by targeting SaaS platforms including Microsoft SharePoint, HubSpot, and Google Workspace — bypassing both traditional endpoint security and multifactor authentication entirely.
Voice Phishing as the Entry Point
The attack chain begins with carefully crafted vishing calls. Threat actors impersonate corporate IT support teams, fabricating urgent scenarios around security updates or account lockouts to pressure employees into immediate action. Victims are directed to fraudulent AiTM phishing pages that mirror legitimate corporate login portals with near-perfect fidelity, typically hosted on deceptive domains such as company-sso[.]com.
When an employee enters credentials on one of these pages, the attacker’s transparent proxy captures both the username and password and the live session token generated by the legitimate service. The victim sees a normal, successful login — completely unaware that their session has been silently hijacked in parallel.
Abusing Single Sign-On Trust
Stolen IdP credentials give attackers a master key. Because modern enterprises use Single Sign-On (SSO), a single compromised identity provider account unlocks access to every connected SaaS application simultaneously. CORDIAL SPIDER and SNARKY SPIDER exploit this trust chain aggressively, pivoting across SharePoint document libraries, HubSpot CRM data, and Google Workspace files in rapid succession.
By operating entirely within legitimate SaaS applications using valid session tokens, the attackers generate minimal anomalous signals. No malware is deployed on endpoints. No suspicious executables run. From the perspective of most security tools, the activity appears to be normal user behavior.
MFA Manipulation Ensures Persistence
Once inside, both groups immediately modify MFA settings on the compromised accounts. Existing hardware tokens are removed and replaced with attacker-controlled devices. This ensures that even if the victim resets their password, the attacker retains persistent access through their own registered authentication factor — effectively locking the legitimate user out while maintaining their own stealthy foothold.
High-Speed Data Exfiltration
With persistence secured, the threat actors conduct targeted data reconnaissance using search terms such as confidential, SSN, contracts, VPN credentials, and executive communications. SNARKY SPIDER in particular has been documented beginning bulk data exfiltration within 60 minutes of gaining initial access — a pace that outstrips most incident response timelines.
Both groups use commercial VPN services and residential proxy networks to mask their geographic origin, defeating IP-based anomaly detection and geolocation blocking controls.
Why Traditional Defenses Fail
These campaigns highlight a critical gap in enterprise security postures. Endpoint detection and response tools have no visibility into cloud-only attack chains. Perimeter firewalls offer no protection against attacks that originate from legitimate cloud infrastructure. Even SMS-based or TOTP-based MFA provides no resistance against real-time AiTM session token theft.
The attacks succeed not through technical exploitation of SaaS platform vulnerabilities, but by exploiting misconfiguration — specifically, the absence of phishing-resistant authentication methods across cloud environments.
Recommended Mitigations
- Deploy FIDO2/passkey authentication for all SaaS applications and identity providers. Hardware-bound credentials cannot be captured or replayed by AiTM proxies.
- Restrict MFA enrollment from unmanaged or unfamiliar devices using conditional access policies tied to device compliance status.
- Monitor SaaS audit logs for MFA device registration events, bulk file downloads, and unusual search activity — and alert on deviations from behavioral baselines.
- Train employees on vishing tactics, emphasizing that IT support will never ask them to navigate to a login page provided verbally over the phone.
- Segment IdP access so that a single compromised account cannot access all SaaS applications simultaneously.
The emergence of operationally mature AiTM-as-a-technique underscores that cloud identity security is no longer optional. Organizations that have not transitioned away from phishable authentication factors face significant exposure to campaigns of precisely this type.