Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace

HomeCyber Security News Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace By Dhivya May 2, 2026 Threat actors are rapidly shifting their intrusion tradecraft toward high-speed, SaaS-centric attacks that completely bypass traditional endpoint security. Since October 2025, security researchers have tracked two distinct adversaries, identified as CORDIAL SPIDER and SNARKY SPIDER, conducting aggressive data theft campaigns. These groups operate almost exclusively within trusted SaaS environments such as SharePoint, HubSpot, and Google Workspace to accelerate their time to impact. By leveraging single sign-on (SSO) integrations, they minimize their footprint and create significant visibility challenges for enterprise defenders. Initial Access via Vishing The adversaries initiate their attacks using targeted voice phishing (vishing) campaigns. They impersonate corporate IT support teams to create a false sense of urgency around security updates or account issues. This social engineering tactic directs employees to fraudulent adversary-in-the-middle (AiTM) phishing pages that closely mimic legitimate corporate login portals, using deceptive domains like company-sso[.]com.  This Falcon Shield detection details a suspicious sign-in pattern consistent with AiTM phishing attacks (Source: Crowdstrike) When victims enter their credentials, the attackers capture authentication data and active session tokens in real time. Because the proxy relays this authentication directly to the legitimate service, users experience a normal login and remain entirely unaware of the compromise. These stolen credentials grant access to the organization’s identity provider (IdP), providing a single point of entry into multiple SaaS applications. By abusing the trust relationship between the IdP and connected services, the attackers move laterally across the victim’s entire cloud ecosystem. Once the attackers secure initial access, they immediately establish persistence by manipulating multifactor authentication (MFA) settings. This Falcon Shield detection identifies manual deletion of security-related emails by users (Source: Crowdstrike) They typically remove existing MFA devices and register their own hardware to the compromised accounts while appearing to authenticate from a newly trusted device. SNARKY SPIDER almost exclusively enrolls Genymobile Android emulators to manage connected devices across different operating systems. CORDIAL SPIDER uses a broader range of mobile devices and Windows Quick Emulators (QEMU) for its authentication needs. Threat actors often register their malicious devices to long-standing accounts where MFA had not previously been enabled. Both groups systematically delete automated security emails from the victim’s inbox to hide unauthorized device registrations. Attackers deploy automated inbox rules to instantly filter messages containing keywords such as alert, incident, or MFA. Rapid Data Exfiltration With secure and stealthy access established, the threat actors execute targeted searches across connected SaaS platforms to locate high-value information. SNARKY SPIDER begins exfiltration in under an hour (Source: Crowdstrike) They frequently query terms such as confidential, SSN, contracts, and VPN to prioritize business-critical documents and infrastructure credentials. Following this reconnaissance phase, the adversaries move quickly to aggregate and download massive datasets. In many documented incidents, SNARKY SPIDER begins high-volume data exfiltration within an hour of the initial compromise. These rapid breaches exploit customer misconfigurations, such as missing phishing-resistant MFA, rather than underlying vulnerabilities in the SaaS platforms themselves. To obscure their geographic locations and evade IP-based detection, both threat groups route their traffic through commercial VPNs and residential proxy networks.  Falcon Shield detection identifies when a user downloads files at a volume  (Source: crowdstrike) Providers like Mullvad, Oxylabs, and NetNut assign real home-user IP addresses to attackers, making malicious activity appear as benign residential traffic. Defending against these sophisticated techniques requires comprehensive SaaS security posture management and advanced anomaly detection. Platforms like CrowdStrike Falcon Shield address these visibility gaps by applying deep SaaS expertise to analyze authentication flows and user behaviors. By combining entity-aware statistical models with new-age network intelligence, security teams can reliably identify anonymization services, cluster adversarial infrastructure, and disrupt these high-speed cloud threats. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Dhivyahttps://cybersecuritynews.com/ Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Trending News New Sandworm Tradecraft Uses SSH-over-Tor Tunnel for Long-Term Hidden Persistence ClickFix Attack Replaces PowerShell With Cmdkey and Remote Regsvr32 Payload Delivery FBI and CISA Released Zero Trust Principles Implementation Guide for OT Environments New PhaaS Platform Phoenix Drives Brand-Impersonation Smishing Across Finance, Telecom, and Logistics Claude-Generated Commit Adds PromptMink Malware to Crypto Trading Agent Latest News Cyber Attack News Hackers Breach Government and Military Servers by Exploiting cPanel Vulnerability Cyber Security News Multiple Exim Mail Server Vulnerabilities Leads to Crash with Malicious DNS data Cyber Security News Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign Cyber Security News cPanelSniper – PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised Press Release Criminal IP and Securonix ThreatQ Collaborate to Enhance Threat Intelligence Operations