Defending Against CORDIAL SPIDER and SNARKY SPIDER with Falcon Shield

Since October 2025, CrowdStrike Counter Adversary Operations has observed a shift in intrusion tradecraft: Threat actors are executing high-speed, SaaS-centric attacks that bypass traditional endpoint visibility. CORDIAL SPIDER and SNARKY SPIDER exemplify this evolution as distinct adversaries conducting rapid data theft and extortion campaigns with striking operational similarities. 

In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications. By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders. 

This blog details how these adversaries operate and how CrowdStrike Falcon® Shield identifies and disrupts their attacks.

How AiTM Pages Enable Initial Access

During vishing calls, CORDIAL SPIDER and SNARKY SPIDER impersonate IT support and create urgency around account issues or security updates to direct employees to fraudulent AiTM pages. These domains closely mimic legitimate corporate login portals (e.g., <companyname>sso[.]com, my<companyname>[.]com, <companyname>id[.]com, <companyname>internal[.]com). When users enter their credentials, the adversaries capture authentication data and active session tokens in real time. Because the AiTM proxy relays authentication to the legitimate service, users often see a normal login experience and remain unaware of the compromise.

In most observed cases, these credentials grant access to the organization’s identity provider (IdP), providing a single point of entry into multiple SaaS applications. By abusing the trust relationship between the IdP and connected services, the adversaries bypass the need to compromise individual SaaS apps and instead move laterally across the victim's entire SaaS ecosystem with a single authenticated session.

Falcon Shield is built to detect these anomalous sign-in attempts. While adversaries attempt to blend in with legitimate activity by aligning source location, device fingerprint, and working hours, Falcon Shield applies advanced anomaly detection to surface subtle deviations. By combining a deep understanding of authentication flows with visibility into network characteristics, anonymization services, and session-clustering methods, Falcon Shield reliably identifies malicious access attempts. 

Persistence Through MFA Manipulation

Following initial access, CORDIAL SPIDER and SNARKY SPIDER establish persistence by registering adversary-controlled multifactor authentication (MFA) devices to compromised accounts. This allows them to maintain access while appearing to authenticate from a newly “trusted” device and reduces the need to repeatedly interact with the victim’s legitimate MFA factors.

In many cases, the adversaries first remove existing MFA devices before registering their own. When performing this technique, SNARKY SPIDER almost exclusively enrolls a Genymobile Android emulator for MFA, which enables them to operate connected Android devices across Linux, Windows, and macOS devices.¹ CORDIAL SPIDER, by contrast, has used a broader mix of mobile devices and a Windows Quick Emulator (QEMU) device for MFA.

Notably, in some instances, adversary-controlled devices were the first MFA device registered to long-standing accounts where MFA had not previously been enabled. In other instances, the same MFA device was enrolled across multiple compromised accounts, further streamlining adversary access and persistence.

Defense Evasion Through Notification Suppression

Immediately after enrolling attacker-controlled MFA devices, the adversaries move to suppress user-facing indicators of compromise (IOCs). This often includes deleting automated security emails that notify users of suspicious activity, preventing discovery of unauthorized device registration, and conducting other malicious follow-on activities.

SNARKY SPIDER maintains their evasion efforts by systematically deleting security-related communications. The adversary creates inbox rules to automatically delete incoming messages containing keywords such as "alert," "incident," "MFA," and other security terms, effectively filtering out security notifications before they reach the user. By removing these signals at the source, the adversary reduces the likelihood of detection and prolongs unauthorized access.

Targeted Discovery: Identifying High-Value SaaS Data

CORDIAL SPIDER and SNARKY SPIDER conduct targeted searches across SaaS platforms to identify high-value sensitive data. Observed search queries include terms such as "confidential," "SSN," "contracts," and "VPN," reflecting a focus on business-critical documents, internal communications, proof-of-concept materials, and infrastructure access credentials.

This search-driven approach enables the adversaries to quickly prioritize sensitive content and accelerate their progression from initial access to data exfiltration.

High-Volume Exfiltration Across SaaS Environments

The primary objective of both CORDIAL SPIDER and SNARKY SPIDER is large-scale data exfiltration across SaaS platforms, including SharePoint, HubSpot, Google Workspace, and more. Once access is established, they move quickly to aggregate and download diverse datasets from all accessible SaaS services.

These compromises are not the result of security vulnerabilities in the SaaS platforms themselves, but rather, weaknesses in customer configurations. Common issues include the absence of phishing-resistant MFA and access controls that grant overly permissive access to sensitive data. 

Falcon Shield provides comprehensive guidance to identify and remediate these misconfigurations, helping organizations reduce exposure and strengthen defenses against SaaS-focused attacks. 

Infrastructure Behind the Campaigns

Throughout these campaigns, CrowdStrike identified network indicators tied to commercial VPN services and residential proxy networks. Unlike traditional VPNs that route traffic through data center IP addresses, residential proxies leverage IPs assigned to real home users, making malicious activity appear as legitimate residential traffic. 

CORDIAL SPIDER and SNARKY SPIDER rely heavily on these services to evade IP-based detection and blend in with normal user behavior. Observed providers include Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and NSOCKS. 

Falcon Shield's infrastructure detection capabilities enable defenders to identify and track these high-risk connection sources, exposing adversary activity that would otherwise appear benign.

Built for Modern Attacks: Falcon Shield Detections

CORDIAL SPIDER and SNARKY SPIDER highlight a growing detection gap. While many organizations have strengthened endpoint defenses against data exfiltration, fewer have the visibility required to detect adversaries operating within the IdP and SaaS layers.

The Three Detection Pillars of Falcon Shield

1. Deep SaaS expertise: The Falcon Shield detection engineering team has built a deep understanding of SaaS platforms, including authentication flows, user behaviors, and platform-specific entities and configurations. This expertise enables precise, high-fidelity detections tailored to each supported SaaS application.
2. Advanced anomaly detection: Falcon Shield applies advanced anomaly detection to distinguish malicious activity from legitimate use, using its visibility across the entire SaaS stack, enhanced with additional CrowdStrike Falcon® platform modules. By leveraging statistical models and entity-aware analysis — across users, service accounts, OAuth applications, API tokens, and more — Falcon Shield evaluates each action in context. This includes factors such as network artifacts, zero trust network access solutions, device telemetry, and historical behavior across SaaS providers.
3. New-age network intelligence: Falcon Shield extends beyond traditional IOC-based detection by identifying and classifying anonymization services, clustering adversarial infrastructure, and flagging non-enterprise-grade servers used as access points. Through active scanning, integration with CrowdStrike reputation systems, and proactive engagement with malicious infrastructure, Falcon Shield delivers precise attribution of suspicious activity to attacker-controlled proxy nodes.

Together, these three pillars provide a robust and adaptable detection framework, and minimize noise while surfacing high-confidence activity in real time. In addition to its detection capabilities, Falcon Shield delivers SaaS security posture management (SSPM) to proactively and continuously monitor identities, access controls, and configuration settings. This enables organizations to address weaknesses before they can be exploited and prioritize the most critical issues for remediation, strengthening overall SaaS security posture.

To see these innovations in action, request a free Falcon Shield risk review or try it free for 15 days. Contact your representative to explore how CrowdStrike can empower your business to thrive in today’s dynamic and SaaS-first digital landscape.

Additional Resources

• Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights.
• Read the CrowdStrike 2026 Global Threat Report for the latest insights on adversaries, tradecraft, and activity.
• Learn more about Falcon Shield by visiting the product page. 
• Visit the Counter Adversary Operations webpage to learn about CrowdStrike’s threat intelligence and hunting solutions.

¹ https[:]//github[.]com/genymobile/scrcpy