Hackers Are Using Fake SSO Pages to Break Into SharePoint, HubSpot, and Google Workspace
5 min. read 
Published on
Security researchers are warning about two cybercrime groups using voice phishing and fake single sign-on pages to steal access to cloud business apps. The campaigns target SaaS environments such as SharePoint, HubSpot, Google Workspace, Salesforce, and other connected services.
CrowdStrike tracks the two groups as CORDIAL SPIDER and SNARKY SPIDER. Both groups have been active since at least October 2025 and focus on fast data theft and extortion instead of traditional malware-heavy attacks.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The attacks matter because they can bypass many endpoint-focused defenses. Instead of infecting a device first, the attackers trick employees into logging in through adversary-in-the-middle phishing pages, then use stolen session data to move through cloud apps.
How the attacks begin
The intrusion usually starts with a vishing call. Attackers impersonate IT support and tell the employee there is an account issue, security update, or login problem that needs quick action.
The victim then gets sent to a fake SSO login page. These pages use domains that look close to real company portals, including names built around “sso,” “id,” “internal,” or the company name.
When the employee enters login details, the phishing page captures credentials and active session tokens in real time. The login can still appear normal to the victim because the proxy passes the request to the real service.
Why SaaS attacks are difficult to spot
Once attackers get access to the identity provider, they can reach multiple connected SaaS apps from one account. That makes the compromise faster and harder to detect than an attack that targets one app at a time.
The attackers then try to keep access by changing MFA settings. CrowdStrike says the groups often remove existing MFA devices and register attacker-controlled devices instead.
SNARKY SPIDER commonly uses Genymobile Android emulators for MFA activity. CORDIAL SPIDER has used a broader mix of mobile devices and Windows Quick Emulator systems.
At a glance
| Item | Details |
|---|---|
| Threat groups | CORDIAL SPIDER and SNARKY SPIDER |
| Main attack method | Vishing and adversary-in-the-middle SSO phishing pages |
| Targeted services | SharePoint, HubSpot, Google Workspace, Salesforce, and other SaaS apps |
| Main goal | Rapid data theft and extortion |
| Key weakness abused | Weak MFA, broad SaaS access, and limited cloud activity monitoring |
Attackers hide alerts after taking over accounts
After registering their own MFA devices, attackers try to hide signs of compromise. One tactic involves deleting automated security emails that warn users about suspicious logins or new device registrations.
SNARKY SPIDER also creates inbox rules that filter or delete messages containing words such as “alert,” “incident,” and “MFA.” This helps attackers stay inside the account while the real user misses important warnings.
This method shows why email inbox activity now matters during cloud security investigations. A deleted alert or suspicious mail rule can point to account takeover, not just user cleanup.
Data theft can happen quickly
After attackers gain access, they search SaaS platforms for sensitive information. CrowdStrike observed searches for terms such as “confidential,” “SSN,” “contracts,” and “VPN.”
Those searches help the attackers find business documents, credentials, internal reports, and other high-value files. In some cases, SNARKY SPIDER begins exfiltration in under an hour.
The attackers also use commercial VPNs and residential proxy networks to hide their real location. CrowdStrike named services such as Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and NSOCKS among observed infrastructure sources.
What companies should do now
- Require phishing-resistant MFA for high-risk users and admins.
- Review recent MFA device changes across identity provider accounts.
- Check inbox rules for suspicious filters linked to security alerts.
- Monitor large file downloads from SharePoint, Google Workspace, HubSpot, and Salesforce.
- Investigate logins from residential proxies, commercial VPNs, and unusual locations.
- Limit broad SaaS access so one compromised account cannot reach too much data.
- Train help desk and employees to verify phone-based IT support requests.
The bigger security problem
These campaigns show a shift in how cybercriminals attack companies. They do not always need malware, ransomware payloads, or direct endpoint access to cause damage.
A stolen cloud session can give attackers enough access to find files, download data, and pressure victims through extortion. This puts more responsibility on identity security, SaaS monitoring, and access control policies.
For enterprises, the main lesson is clear. Endpoint protection still matters, but it cannot be the only defense layer when attackers operate inside trusted SaaS platforms.
FAQ
CORDIAL SPIDER and SNARKY SPIDER are financially motivated cybercrime groups tracked by CrowdStrike. They focus on SaaS account compromise, fast data theft, and extortion.
An adversary-in-the-middle phishing page sits between the victim and the real login service. It captures credentials and session tokens while still showing the user a normal login flow.
The campaigns target SaaS environments, including SharePoint, HubSpot, Google Workspace, Salesforce, and other apps connected through SSO.
No. The attacks abuse customer-side weaknesses such as stolen credentials, weak MFA, and broad access permissions. They do not rely on a reported vulnerability in those SaaS platforms.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages