cordial-spider - TrustStrike Labs

threat

2026-05-01

Two new cybercrime crews are calling employees, getting their MFA codes by phone, then stealing data from SaaS apps within hours

CrowdStrike disclosed two cybercrime groups - Cordial Spider and Snarky Spider - running fast SaaS extortion attacks that stay almost entirely inside legitimate SaaS environments. The pattern: call employees pretending to be IT support, walk them through an 'MFA reset' that's actually a credential-harvesting site that mimics their company's branding, capture the password and MFA code, then immediately log into SSO and pivot through Microsoft 365, Salesforce, and other SaaS apps. The attackers register their own device for MFA and exfiltrate data within hours. Both groups overlap with the broader ShinyHunters ecosystem (UNC6240/UNC6661/UNC6671).

cordial-spider snarky-spider crowdstrike mandiant unc6661 unc6671 shinyhunters vishing sso aitm saas-extortion the-com blackfile-overlap

Check: Run a vishing-specific awareness exercise this week. Tell every employee that real IT will never ask them to read out an MFA code over the phone or enter it on a website during a call.
Affected: Organizations with SSO across Microsoft 365, Salesforce, Okta, Google Workspace, or similar SaaS where one set of credentials reaches multiple apps. Acute risk for help-desk-heavy enterprises (financial services, healthcare, large retail) where IT calls feel routine. Any company with a public corporate logo and SSO landing page is in the target pool.
Fix: Make it policy that IT never asks for MFA codes by phone. Require step-up authentication for any MFA registration change. Alert on new MFA device registrations from unfamiliar IPs. In Microsoft 365, monitor for OAuth grants to ToogleBox Recall and similar inbox-rule apps - these were used by Cordial Spider to delete security alerts. Use Mandiant's published IoCs to block known credential-harvesting domains.

threat

2026-04-24

New extortion group 'BlackFile' running seven-figure ransom campaigns against retail and hospitality via vishing-driven SSO compromise and Salesforce/SharePoint scraping

Palo Alto's Unit 42 and the Retail & Hospitality ISAC outed a new financially-motivated group tracked as BlackFile (CL-CRI-1116, UNC6671, Cordial Spider) running data-theft extortion against retail and hospitality since February 2026 with seven-figure ransoms. The playbook: spoofed-VoIP vishing, attackers posing as IT helpdesk, victims routed to phishing pages capturing Microsoft Entra/Okta/Google SSO credentials, attackers then register their own devices to bypass MFA and pivot into Salesforce and SharePoint. Unit 42 links the group to 'The Com' and notes it has used swatting against non-paying victims. TTPs overlap heavily with ShinyHunters and Scattered Spider.

blackfile cordial-spider unc6671 vishing the-com salesforce sharepoint extortion swatting unit-42

Check: Brief IT helpdesk staff this week on the BlackFile vishing pattern and run a tabletop on a help-desk-driven SSO compromise of one named individual.
Affected: Retail and hospitality are named target sectors but the playbook is industry-agnostic. Acute risk: any organization where helpdesk staff can re-enroll MFA devices over the phone without out-of-band caller verification. SaaS environments where users can perform bulk Salesforce report exports, SharePoint downloads, or Microsoft Graph queries without secondary controls.
Fix: Require manager confirmation on a separate channel for any MFA or password reset on high-privilege accounts. Disable phone-based helpdesk MFA reset for accounts with bulk-data access. In Okta and Entra, alert on new device registrations from unseen locations. In Salesforce, scope bulk export rights via Permission Set Groups and alert on Bulk API usage outside business hours.