Defending Against CORDIAL SPIDER and SNARKY SPIDER with Falcon Shield

BLOG Featured Recent Video Category Start Free Trial Defending Against CORDIAL SPIDER and SNARKY SPIDER with Falcon Shield April 30, 2026 | Falcon Shield - Counter Adversary Operations | Threat Hunting & Intel Since October 2025, CrowdStrike Counter Adversary Operations has observed a shift in intrusion tradecraft: Threat actors are executing high-speed, SaaS-centric attacks that bypass traditional endpoint visibility. CORDIAL SPIDER and SNARKY SPIDER exemplify this evolution as distinct adversaries conducting rapid data theft and extortion campaigns with striking operational similarities.  In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications. By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders.  This blog details how these adversaries operate and how CrowdStrike Falcon® Shield identifies and disrupts their attacks. How AiTM Pages Enable Initial Access During vishing calls, CORDIAL SPIDER and SNARKY SPIDER impersonate IT support and create urgency around account issues or security updates to direct employees to fraudulent AiTM pages. These domains closely mimic legitimate corporate login portals (e.g., <companyname>sso[.]com, my<companyname>[.]com, <companyname>id[.]com, <companyname>internal[.]com). When users enter their credentials, the adversaries capture authentication data and active session tokens in real time. Because the AiTM proxy relays authentication to the legitimate service, users often see a normal login experience and remain unaware of the compromise. In most observed cases, these credentials grant access to the organization’s identity provider (IdP), providing a single point of entry into multiple SaaS applications. By abusing the trust relationship between the IdP and connected services, the adversaries bypass the need to compromise individual SaaS apps and instead move laterally across the victim's entire SaaS ecosystem with a single authenticated session. Falcon Shield is built to detect these anomalous sign-in attempts. While adversaries attempt to blend in with legitimate activity by aligning source location, device fingerprint, and working hours, Falcon Shield applies advanced anomaly detection to surface subtle deviations. By combining a deep understanding of authentication flows with visibility into network characteristics, anonymization services, and session-clustering methods, Falcon Shield reliably identifies malicious access attempts.  Figure 1. This Falcon Shield detection details a suspicious sign-in pattern consistent with AiTM phishing attacks. Figure 2. This Falcon Shield detection identifies geographic anomalies when users access platforms from locations inconsistent with their baseline behavior. Persistence Through MFA Manipulation Following initial access, CORDIAL SPIDER and SNARKY SPIDER establish persistence by registering adversary-controlled multifactor authentication (MFA) devices to compromised accounts. This allows them to maintain access while appearing to authenticate from a newly “trusted” device and reduces the need to repeatedly interact with the victim’s legitimate MFA factors. In many cases, the adversaries first remove existing MFA devices before registering their own. When performing this technique, SNARKY SPIDER almost exclusively enrolls a Genymobile Android emulator for MFA, which enables them to operate connected Android devices across Linux, Windows, and macOS devices.1 CORDIAL SPIDER, by contrast, has used a broader mix of mobile devices and a Windows Quick Emulator (QEMU) device for MFA. Notably, in some instances, adversary-controlled devices were the first MFA device registered to long-standing accounts where MFA had not previously been enabled. In other instances, the same MFA device was enrolled across multiple compromised accounts, further streamlining adversary access and persistence. Figure 3. This Falcon Shield detection identifies suspicious device registration patterns where a single device is added to multiple accounts. Figure 4. This Falcon Shield detection identifies suspicious MFA enrollments originating from Android emulator platforms. Attackers exploit emulated environments to register malicious MFA factors and maintain persistent access. Defense Evasion Through Notification Suppression Immediately after enrolling attacker-controlled MFA devices, the adversaries move to suppress user-facing indicators of compromise (IOCs). This often includes deleting automated security emails that notify users of suspicious activity, preventing discovery of unauthorized device registration, and conducting other malicious follow-on activities. SNARKY SPIDER maintains their evasion efforts by systematically deleting security-related communications. The adversary creates inbox rules to automatically delete incoming messages containing keywords such as "alert," "incident," "MFA," and other security terms, effectively filtering out security notifications before they reach the user. By removing these signals at the source, the adversary reduces the likelihood of detection and prolongs unauthorized access. Figure 5. This Falcon Shield detection identifies manual deletion of security-related emails by users whose activity originates from flagged ASNs. This behavior typically indicates post-compromise cleanup activities, insider threat evidence destruction, or malicious actors covering data exfiltration traces. Figure 6. This detection identifies suspicious inbox rules patterns commonly used by threat actors to evade detection or maintain persistent to compromised accounts. Targeted Discovery: Identifying High-Value SaaS Data CORDIAL SPIDER and SNARKY SPIDER conduct targeted searches across SaaS platforms to identify high-value sensitive data. Observed search queries include terms such as "confidential," "SSN," "contracts," and "VPN," reflecting a focus on business-critical documents, internal communications, proof-of-concept materials, and infrastructure access credentials. This search-driven approach enables the adversaries to quickly prioritize sensitive content and accelerate their progression from initial access to data exfiltration. Figure 7. This Falcon Shield detection identifies users conducting targeted searches for sensitive terms. This behavior is often associated with reconnaissance or data discovery activities. Figure 8. This Falcon Shield detection identifies users who performed searches for sensitive content following an anomalous sign-in. This behavior is often associated with reconnaissance or data discovery activities. High-Volume Exfiltration Across SaaS Environments Figure 9. SNARKY SPIDER begins exfiltration in under an hour The primary objective of both CORDIAL SPIDER and SNARKY SPIDER is large-scale data exfiltration across SaaS platforms, including SharePoint, HubSpot, Google Workspace, and more. Once access is established, they move quickly to aggregate and download diverse datasets from all accessible SaaS services. These compromises are not the result of security vulnerabilities in the SaaS platforms themselves, but rather, weaknesses in customer configurations. Common issues include the absence of phishing-resistant MFA and access controls that grant overly permissive access to sensitive data.  Falcon Shield provides comprehensive guidance to identify and remediate these misconfigurations, helping organizations reduce exposure and strengthen defenses against SaaS-focused attacks.  Figure 10. This Falcon Shield detection identifies when a user downloads a large number of files while connected from an IP address that is unusual for both the user and the organization. Figure 11. This Falcon Shield detection identifies when a user downloads files at a volume or velocity that significantly deviates from their established baseline behavior. Infrastructure Behind the Campaigns Throughout these campaigns, CrowdStrike identified network indicators tied to commercial VPN services and residential proxy networks. Unlike traditional VPNs that route traffic through data center IP addresses, residential proxies leverage IPs assigned to real home users, making malicious activity appear as legitimate residential traffic.  CORDIAL SPIDER and SNARKY SPIDER rely heavily on these services to evade IP-based detection and blend in with normal user behavior. Observed providers include Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and NSOCKS.  Falcon Shield's infrastructure detection capabilities enable defenders to identify and track these high-risk connection sources, exposing adversary activity that would otherwise appear benign. Built for Modern Attacks: Falcon Shield Detections CORDIAL SPIDER and SNARKY SPIDER highlight a growing detection gap. While many organizations have strengthened endpoint defenses against data exfiltration, fewer have the visibility required to detect adversaries operating within the IdP and SaaS layers. The Three Detection Pillars of Falcon Shield Deep SaaS expertise: The Falcon Shield detection engineering team has built a deep understanding of SaaS platforms, including authentication flows, user behaviors, and platform-specific entities and configurations. This expertise enables precise, high-fidelity detections tailored to each supported SaaS application. Advanced anomaly detection: Falcon Shield applies advanced anomaly detection to distinguish malicious activity from legitimate use, using its visibility across the entire SaaS stack, enhanced with additional CrowdStrike Falcon® platform modules. By leveraging statistical models and entity-aware analysis — across users, service accounts, OAuth applications, API tokens, and more — Falcon Shield evaluates each action in context. This includes factors such as network artifacts, zero trust network access solutions, device telemetry, and historical behavior across SaaS providers. New-age network intelligence: Falcon Shield extends beyond traditional IOC-based detection by identifying and classifying anonymization services, clustering adversarial infrastructure, and flagging non-enterprise-grade servers used as access points. Through active scanning, integration with CrowdStrike reputation systems, and proactive engagement with malicious infrastructure, Falcon Shield delivers precise attribution of suspicious activity to attacker-controlled proxy nodes. Together, these three pillars provide a robust and adaptable detection framework, and minimize noise while surfacing high-confidence activity in real time. In addition to its detection capabilities, Falcon Shield delivers SaaS security posture management (SSPM) to proactively and continuously monitor identities, access controls, and configuration settings. This enables organizations to address weaknesses before they can be exploited and prioritize the most critical issues for remediation, strengthening overall SaaS security posture. To see these innovations in action, request a free Falcon Shield risk review or try it free for 15 days. Contact your representative to explore how CrowdStrike can empower your business to thrive in today’s dynamic and SaaS-first digital landscape. Additional Resources Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights. Read the CrowdStrike 2026 Global Threat Report for the latest insights on adversaries, tradecraft, and activity. Learn more about Falcon Shield by visiting the product page.  Visit the Counter Adversary Operations webpage to learn about CrowdStrike’s threat intelligence and hunting solutions. 1 https[:]//github[.]com/genymobile/scrcpy Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download Related Content Tune In: The Future of AI-Powered Vulnerability Discovery STARDUST CHOLLIMA Likely Compromises Axios npm Package Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown CATEGORIES Agentic SOC 50 Cloud & Application Security 143 Data Protection 22 Endpoint Security & XDR 353 Engineering & Tech 86 Executive Viewpoint 180 Exposure Management 118 From The Front Lines 203 Next-Gen Identity Security 68 Next-Gen SIEM & Log Management 113 Public Sector 42 Securing AI 29 Threat Hunting & Intel 214 CONNECT WITH US FEATURED ARTICLES April 30, 2026 April 22, 2026 April 22, 2026 April 21, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up STARDUST CHOLLIMA Likely Compromises Axios npm Package Tune In: The Future of AI-Powered Vulnerability Discovery Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility Privacy Preference Center Privacy Preference Center Your Privacy Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies Your Privacy When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences, or your device, and is mostly used to make the site work as you expect. The information does not usually identify you directly, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to learn more and change our default settings. Blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They may be set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies may process limited personal information, such as technical or device identifiers, where necessary to ensure the security, functionality, and integrity of the website or web portal. Such processing is strictly limited to what is required for these purposes and is not used for advertising or marketing. Cookies Details Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore does not identify you. If you do not allow these cookies, your visit to our website will not be included in our analytics, and our ability to monitor website performance and make improvements will be reduced. Cookies Details Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Targeting Cookies Targeting Cookies These cookies may be set on our site by our advertising partners. They assign a unique identifier to your browser or device and may track your activity across sites to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will still see ads, but they may be less relevant to you. Cookies Details Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All