“capture authentication data and pivot directly into sso - integrated saas applications, " crowdstrike ' s counter adversary operations said in a report. " by operating almost exclusively within trusted saas environments, they minimize their footprint while accelerating time to im…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1671Cloud Application Integration
42%
“and salesforce, and then exfiltrate data of interest to infrastructure under its control. " in most observed cases, these credentials grant access to the organization ' s identity provider ( idp ), providing a single point of entry into multiple saas applications, " crowdstrike s…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.001Application Access Token
36%
“and salesforce, and then exfiltrate data of interest to infrastructure under its control. " in most observed cases, these credentials grant access to the organization ' s identity provider ( idp ), providing a single point of entry into multiple saas applications, " crowdstrike s…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566Phishing
34%
“cybercrime groups using vishing and sso abuse in rapid saas extortion attacks cybersecurity researchers are warning of two cybercrime groups that are carrying out " rapid, high - impact attacks " operating almost within the confines of saas environments, while leaving minimal tra…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1111Multi-Factor Authentication Interception
30%
“( lotl ) techniques, as well as utilize residential proxies to conceal their geographic location and bypass basic ip - based reputation filters. " cl - cri - 1116 activity has been actively targeting the retail and hospitality space since february 2026, specifically leveraging vi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Cybersecurity researchers are warning of two cybercrime groups that are carrying out "rapid, high-impact attacks" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions.
The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and