Defending Against CORDIAL SPIDER and SNARKY SPIDER with Falcon Shield
CORDIAL SPIDER and SNARKY SPIDER are executing rapid, SaaS-centric data theft and extortion campaigns by leveraging vishing and AiTM phishing pages. By capturing session tokens and authentication data, these actors bypass traditional endpoint defenses and pivot directly into SSO-integrated SaaS environments via the organization's Identity Provider (IdP).
Authors: CrowdStrike Counter Adversary Operations
Source:
CrowdStrike
- domain<companyname>id[[.]]comPattern used for AiTM phishing domains mimicking corporate identity portals.
- domain<companyname>internal[[.]]comPattern used for AiTM phishing domains mimicking internal corporate portals.
- domain<companyname>sso[[.]]comPattern used for AiTM phishing domains mimicking corporate SSO portals.
- domainmy<companyname>[[.]]comPattern used for AiTM phishing domains mimicking corporate portals.
Detection / Hunter
What Happened
Cybercriminals known as CORDIAL SPIDER and SNARKY SPIDER are using phone calls (vishing) to trick employees into logging into fake company portals. This affects any organization relying on Single Sign-On (SSO) and cloud-based software. It matters because the attackers steal login sessions to instantly access multiple company systems without touching traditional computers, making them very hard to catch. Organizations should monitor for unusual login locations and behaviors, and train employees to recognize fake IT support calls.
Key Takeaways
- CORDIAL SPIDER and SNARKY SPIDER are conducting high-speed, SaaS-centric data theft and extortion campaigns.
- Initial access is achieved via vishing, directing users to SSO-themed Adversary-in-the-Middle (AiTM) pages.
- Adversaries capture authentication data and session tokens to pivot directly into SSO-integrated SaaS applications via the Identity Provider (IdP).
- These attacks bypass traditional endpoint visibility by operating almost exclusively within trusted SaaS environments.
Affected Systems
- SaaS Applications
- Identity Providers (IdP)
- Single Sign-On (SSO) Systems
Attack Chain
The attack begins with vishing, where adversaries impersonate IT support to direct users to fraudulent AiTM pages mimicking corporate SSO portals. Once the user enters their credentials, the AiTM proxy captures the authentication data and active session tokens in real time. The adversaries then use these stolen tokens to access the organization's Identity Provider (IdP). Finally, they abuse the IdP trust relationship to move laterally across the victim's SaaS ecosystem for rapid data theft and extortion.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: Low — The article explicitly states the attacks bypass traditional endpoint visibility by operating almost exclusively within trusted SaaS environments. Network Visibility: Medium — Network logs might show connections to newly registered domains mimicking corporate SSO, but the traffic is encrypted and SaaS-to-SaaS pivoting is invisible to traditional perimeter networks. Detection Difficulty: Hard — Adversaries blend in by aligning source location, device fingerprint, and working hours, requiring advanced anomaly detection and session clustering to identify.
Required Log Sources
- IdP Authentication Logs
- SaaS Audit Logs
- SSO Sign-in Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for anomalous IdP sign-ins originating from known anonymization services or mismatched geographic locations compared to the user's typical baseline. | IdP Authentication Logs | Initial Access | Medium |
| Identify multiple SaaS applications being accessed in rapid succession by a single user account from a new or uncharacterized IP address. | SaaS Audit Logs | Lateral Movement | Medium |
Control Gaps
- Traditional Endpoint Detection and Response (EDR)
- Standard Multi-Factor Authentication (susceptible to AiTM)
Key Behavioral Indicators
- Anomalous sign-in locations
- Use of anonymization services during authentication
- Subtle deviations in device fingerprints during SSO login
False Positive Assessment
- Medium. Anomaly detection on logins can flag legitimate travel, new devices, or VPN usage by employees.
Recommendations
Immediate Mitigation
- Review IdP logs for anomalous sign-ins or session token abuse.
- Block known AiTM domain patterns (e.g., <companyname>sso.com) at the DNS/proxy level.
Infrastructure Hardening
- Implement FIDO2/WebAuthn hardware security keys to prevent AiTM phishing.
- Restrict SaaS access using Conditional Access policies based on compliant devices and trusted IP ranges.
User Protection
- Deploy advanced identity protection tools to monitor for session hijacking and anomalous authentication flows.
Security Awareness
- Train employees on the risks of vishing and how to verify the identity of IT support personnel.
- Educate users to verify the URL of SSO portals before entering credentials.
MITRE ATT&CK Mapping
- T1566.004 - Phishing: Spearphishing Voice
- T1557 - Adversary-in-the-Middle
- T1539 - Steal Web Session Cookie
- T1078.004 - Valid Accounts: Cloud Accounts