AiTM Login Pages Fuel Attacks on SharePoint, HubSpot, and Google Workspace

Threat actors are rapidly shifting their focus toward Software-as-a-Service (SaaS) environments, successfully bypassing traditional endpoint security measures.

Recent threat intelligence reveals that two distinct adversary groups, tracked as CORDIAL SPIDER and SNARKY SPIDER, are executing high-speed data theft and extortion campaigns.

These attackers specifically target platforms like SharePoint, HubSpot, and Google Workspace to extract high-value corporate data.

By operating almost entirely within trusted SaaS ecosystems, they minimize their digital footprint while drastically accelerating their time-to-impact. The sheer speed and precision of these cloud-native attacks create significant detection challenges for network defenders.

Initial Access and AiTM Tactics

The intrusion lifecycle typically begins with targeted voice phishing, commonly known as vishing. Attackers confidently impersonate internal IT support staff to manufacture a false sense of urgency regarding urgent account issues or mandatory security updates.

They manipulate employees into navigating to fraudulent Adversary-in-the-Middle (AiTM) phishing pages that perfectly mirror legitimate corporate single sign-on (SSO) portals.

When unsuspecting users enter their credentials, the adversaries capture the authentication data and active session tokens in real time.

Because the AiTM proxy seamlessly relays this authentication process to the actual service, the login experience appears completely normal. This captured session data grants immediate access to the organization’s identity provider.

By exploiting the inherent trust relationship between the identity provider and connected services, attackers can move laterally across the victim’s entire SaaS infrastructure without compromising individual applications.

Once inside the environment, CORDIAL SPIDER and SNARKY SPIDER move quickly to establish persistent access through multifactor authentication (MFA) manipulation.

They routinely delete existing legitimate MFA devices and register their own attacker-controlled hardware to the compromised accounts, as reported by Crowdstrike.

SNARKY SPIDER specifically favors enrolling a Genymobile Android emulator. At the same time, CORDIAL SPIDER utilizes a broader mix of mobile devices and Windows Quick Emulator environments.

To maintain their stealth, these adversaries actively suppress user-facing indicators of compromise. They manually delete automated security emails that would otherwise alert users to suspicious account logins or unauthorized device registrations.

Additionally, they implement malicious inbox rules that automatically filter and trash incoming messages containing critical security keywords.

• Messages containing the word alert
• Notifications mentioning an incident
• Alerts regarding MFA changes
• General security warning emails

Rapid Data Exfiltration Operations

With secure and silent access established, the attackers conduct highly targeted searches across the compromised SaaS platforms. They hunt for critical business intelligence using specific query terms to locate sensitive materials.

• Confidential corporate business documents
• Employee Social Security Numbers
• Internal financial vendor contracts
• Virtual Private Network access credentials

This focused reconnaissance allows them to prioritize sensitive content and execute massive data exfiltration operations. In many documented cases, SNARKY SPIDER begins siphoning data within an hour of the initial breach.

These compromises stem from exploitable customer misconfigurations, such as overly permissive access controls and a lack of phishing-resistant MFA, rather than direct software vulnerabilities.

To mask their network traffic, these threat groups rely heavily on commercial VPN services and residential proxy networks. Providers like Mullvad, Oxylabs, and NetNut route traffic through IP addresses assigned to real home users.

This sophisticated tactic successfully disguises malicious operations as standard residential internet traffic, effectively bypassing traditional IP-based geographic blocking.

Defending against these modern SaaS-centric threats requires advanced anomaly detection. Security teams must monitor authentication flows, analyze session behaviors, and flag unusual geographic access patterns.

By continuously auditing identity providers and enforcing strict configuration management, organizations can disrupt these rapid extortion campaigns before data theft occurs.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post AiTM Login Pages Fuel Attacks on SharePoint, HubSpot, and Google Workspace appeared first on Cyber Security News.