Vishing and AiTM Bypass MFA: Invisible Extortion in SaaS

The criminal groups Cordial Spider and Snarky Spider are carrying out high-impact extortion attacks by leveraging vishing and SSO abuse to operate exclusively within SaaS environments, leaving minimal traces. This evolution of "invisible" extortion bypasses MFA and puts corporate data at risk with high-speed exfiltration without deploying traditional malware. In the first quarter of 2025, over 60% of incident response interventions related to phishing were already represented by vishing.

Actors and Context of the New Extortion Campaigns

The criminal clusters Cordial Spider and Snarky Spider, assessed to have been active since at least October 2025, represent an expansion of cyber threats. As revealed by Mandiant in January 2026, the tactics of these two groups are consistent with the extortion attacks carried out by the ShinyHunters group.

Specifically, the cluster identified as CL-CRI-1116 has been actively targeting the retail and hospitality sectors since February 2026. These campaigns aim to launch extortion activities, seeking additional financial gain channels by also targeting companies in the cryptocurrency sector.

ShinyHunters (UNC6240) functions as an Extortion-as-a-Service (EaaS), often operating as an intermediary and receiving 25-30% of any extortion payment from victims, while other criminal groups obtain the remainder. No sector is immune to this dynamic.

How Vishing and AiTM Bypass MFA and Poison SaaS

The attack technique leverages voice phishing (vishing) to direct users toward malicious SSO-themed adversary-in-the-middle (AiTM) pages. As explained by CrowdStrike Counter Adversary Operations, "In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications".

Once Single Sign-On (SSO) login credentials and multi-factor authentication (MFA) codes are obtained, attackers register their own device for MFA. They then proceed to remove existing devices and suppress automatic email notifications by configuring message deletion rules.

By operating almost exclusively within trusted SaaS environments, attackers initiate lateral movement through the company network. They exfiltrate data from SaaS platforms, such as SharePoint, and use compromised email accounts to send further phishing emails to corporate contacts.

The Impact of AI and the Challenge for Defenders

Technical analysis suggests that the integration of artificial intelligence into vishing is accelerating extortion impact timelines. The FBI issued notice PSA250515 in May 2025, warning against the use of AI-generated voice messages to impersonate U.S. government officials.

The numbers confirm the escalation: there was a 442% increase in vishing attacks between the first and second half of 2024. Furthermore, 70% of organizations have fallen victim to a voice phishing attack, and projected losses for deepfake-based fraud could reach $40 billion by 2027.

Just 3 seconds of audio are enough to produce a convincing replica of someone's voice through cloning.

The combination of speed, precision, and exclusive SaaS operation creates significant challenges for visibility and detection. As highlighted by CrowdStrike, "By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders."

What to Do Now

Faced with extortion campaigns that exploit vishing and operate exclusively within trusted SaaS environments, organizations must adopt specific countermeasures to limit exposure and block invisible lateral movements.

Verify and restrict automatic email forwarding and deletion rules within SaaS tenants to promptly intercept the suppression of security notifications. Actively monitor the registration of new MFA devices and the removal of existing ones, configuring alerts for behavioral anomalies.

Include scenarios such as SaaS account compromise, data theft from SharePoint, email extortion, and threats against executives in tabletop exercises and business continuity plans. Organizations must consider the impact of gangs like BlackFile, which use vishing and swatting to target retail and hotels.

Implement multi-factor authentication based on FIDO2 security keys or phishing-resistant methods, which invalidate AiTM attacks. Isolate critical cloud environments by strictly segmenting SSO access levels for integrated SaaS applications.

The point is not just that vishing and AiTM techniques can steal SSO credentials. The real risk is that the trusted SaaS environment itself becomes the compromise vector and the base for high-speed data exfiltration, rendering traditional security perimeters ineffective against extortion that does not deploy malware.

Frequently Asked Questions

How does the ShinyHunters group operate in extortion attacks?

ShinyHunters functions as an Extortion-as-a-Service (EaaS), acting as an intermediary and receiving 25-30% of payments, while other criminal groups physically execute the attack and get the remaining portion.

What are AiTM pages in vishing?

AiTM (Adversary-in-the-Middle) pages are malicious SSO-themed sites where attackers intercept credentials and authentication tokens in real-time, allowing them to bypass MFA and access integrated SaaS apps.

How is Multi-Factor Authentication (MFA) bypassed in these attacks?

After capturing SSO credentials via AiTM pages, attackers register a new device for MFA, remove legitimate devices, and suppress security email notifications by configuring message deletion rules.

The information has been verified against the cited sources and updated at the time of publication.

Sources

• https://www.netech-solution.it/2026/03/17/vishing-e-strumenti-di-attacco-automatizzati-minacciano-gli-ambienti-cloud/
• https://www.matricedigitale.it/2026/04/29/blackfile-vishing-ransomware/
• https://prothect.it/sicurezza-informatica/shinyhunters-espande-gli-attacchi-di-estorsione-come-proteggere-i-dati-cloud-aziendali/
• https://www.proofpoint.com/us/threat-reference/vishing
• https://www.sentinelone.com/cybersecurity-101/cybersecurity/what-is-vishing/