Cordial Spider and Snarky Spider: Two New Com-Affiliated Groups Are Running the Scattered Spider Playbook at Scale
CrowdStrike documents Cordial Spider and Snarky Spider — two new Com-affiliated groups running vishing and SSO phishing campaigns against enterprise SaaS environments with seven-figure extortion demands and no malware deployed.
CrowdStrike has documented two new Com-affiliated threat clusters — Cordial Spider and Snarky Spider — running high-speed vishing and SSO phishing campaigns against enterprise SaaS environments, with Snarky Spider escalating to swatting executives when victims refuse to pay.
AUSTIN, TEXAS — CrowdStrike's Counter Adversary Operations team published research Thursday documenting two financially motivated threat clusters active since at least October 2025: Cordial Spider (also tracked as BlackFile, CL-CRI-1116, UNC6671) and Snarky Spider (O-UNC-025, UNC6661). Both groups execute rapid, high-impact data theft and extortion campaigns by operating almost exclusively within trusted SaaS environments — leaving minimal traces that traditional endpoint detection tools are designed to catch. The shared methodology: voice phishing (vishing) to direct targets to fake SSO login pages, credential and session token harvest via adversary-in-the-middle (AiTM) interception, device registration to bypass MFA, and rapid lateral movement across the victim's entire SaaS ecosystem using a single authenticated session.
Threat profile
The attack chain: no malware, no detection
The defining characteristic of both Cordial and Snarky Spider is the complete absence of malware. There is no payload to detect, no exploit to signature, no lateral movement tool that any endpoint security product would flag as malicious. The entire attack chain runs through legitimate authentication flows and legitimate API access. Attackers call employees, direct them to fake SSO pages, harvest credentials and one-time passcodes in real time, register their own device in the victim's identity provider, delete the existing device registration, and configure inbox rules to suppress the authentication alert email — all using functionality built into Microsoft Entra ID, Google Workspace, and connected SaaS applications. They then use the authenticated session to traverse the victim's entire SaaS ecosystem, searching SharePoint and Salesforce for files containing terms like "confidential," "SSN," "contracts," and "VPN." Exfiltration happens through browser downloads or standard API exports — again, no malicious tooling required. The attack leaves no footprint that traditional endpoint detection, SIEM rules, or antivirus tools are designed to identify. This is the same fundamental approach used by Scattered Spider in the MGM and Caesars attacks and by ShinyHunters in the Salesforce campaign that breached Amtrak, ADT, and Medtronic. All three groups are interconnected through The Com ecosystem. For more on this attack pattern, we covered BlackFile's initial disclosure from our retail and hospitality threat coverage.
All social engineering coverage is tracked on The CyberSignal.
Snarky Spider's swatting escalation
Snarky Spider's use of swatting — making false emergency calls to law enforcement to trigger an armed response at executives' homes or offices — as an extortion escalation tactic represents a significant and dangerous evolution. Swatting is not new in the cybercriminal ecosystem, but its formalization as a standard escalation step in a defined data extortion playbook is new. The combination of legitimate-looking SaaS data theft with physical-world intimidation of specific named executives crosses from cybercrime into territory that implicates personal safety of individuals. Organizations that decline extortion payments from Snarky Spider should immediately brief executive protection teams and notify law enforcement of the swatting risk to specific individuals identified in the attack.
What to do now
Enable Conditional Access device registration controls in Microsoft Entra ID — require admin approval for new device registration rather than allowing self-service. Deploy phishing-resistant MFA (FIDO2) for all users, not just privileged accounts. Implement strict call-handling policies for IT helpdesk: no MFA resets or credential changes over the phone without out-of-band identity verification. Monitor for anomalous sign-in patterns — geographic inconsistencies, new device registrations followed by inbox rule creation, and bulk export operations from SharePoint or Salesforce. Run vishing simulation exercises for frontline helpdesk and reception staff. If extortion demands are received, brief executive protection teams immediately given Snarky Spider's swatting escalation pattern.
The CyberSignal Analysis
Signal 01 — The next generation of Scattered Spider is operational
CrowdStrike's Adam Meyers described Cordial and Snarky Spider as "the new generation of Scattered Spider" — using the same techniques but without the same technical sophistication. That framing is precisely the right one. These groups don't need sophistication because the same helpdesk vishing playbook that worked for Scattered Spider against MGM and Caesars continues to work against organizations that haven't fixed the underlying problem: human identity verification at the helpdesk remains the weakest link in enterprise authentication.
Signal 02 — SaaS-native attacks have outpaced SaaS-native defenses
The entire Cordial and Snarky Spider attack chain operates within the legitimate boundaries of the SaaS platforms being exploited. Microsoft's own device registration flow, Google Workspace's export functions, Salesforce's API access — all being used as designed. The attacker is not breaking into these platforms. They are logging in. The defensive response cannot be more signatures or more endpoint agents. It requires behavioral detection within identity platforms, anomaly detection on authentication flows, and admin controls on self-service account actions.
Signal 03 — Seven-figure extortion demands with no ransomware is the new normal
Cordial Spider's seven-figure ransom demands — issued without deploying a single line of malicious code — establish the economic viability of pure data theft extortion at enterprise scale. The elimination of the ransomware payload removes the most detectible element of the traditional ransomware attack chain while preserving the extortion leverage. This is the model that Scattered Spider proved, that ShinyHunters operationalized at industrial scale, and that Cordial and Snarky Spider are now replicating. The ransomware industry is not declining — it is shedding its payload.
