The article describes the tradecraft of threat actors CORDIAL SPIDER and SNARKY SPIDER, who are conducting high-speed, SaaS-centric attacks. These attacks typically involve voice phishing (vishing) to direct users to malicious, adversary-in-the-middle (AiTM) pages to capture authentication data and session tokens. The adversaries then pivot into SSO-integrated SaaS applications, bypassing traditional endpoint visibility. They establish persistence by registering adversary-controlled multifactor authentication (MFA) devices to compromised accounts, sometimes removing existing MFA devices first. SNARKY SPIDER often uses a Genymobile Android emulator for MFA, while CORDIAL SPIDER uses a mix of mobile devices and a Windows Quick Emulator (QEMU). CrowdStrike Falcon Shield is presented as a tool to detect these anomalous sign-in attempts and geographic anomalies.
| Vendor | Product | Versions |
|---|---|---|
| crowdstrike | — | — |
