Threat actors are rapidly shifting their intrusion tradecraft toward high-speed, SaaS-centric attacks that completely bypass traditional endpoint security.

Since October 2025, security researchers have tracked two distinct adversaries, identified as CORDIAL SPIDER and SNARKY SPIDER, conducting aggressive data theft campaigns.

These groups operate almost exclusively within trusted SaaS environments such as SharePoint, HubSpot, and Google Workspace to accelerate their time to impact.

By leveraging single sign-on (SSO) integrations, they minimize their footprint and create significant visibility challenges for enterprise defenders.

Initial Access via Vishing

The adversaries initiate their attacks using targeted voice phishing (vishing) campaigns. They impersonate corporate IT support teams to create a false sense of urgency around security updates or account issues.

This social engineering tactic directs employees to fraudulent adversary-in-the-middle (AiTM) phishing pages that closely mimic legitimate corporate login portals, using deceptive domains like company-sso[.]com.

When victims enter their credentials, the attackers capture authentication data and active session tokens in real time.

Because the proxy relays this authentication directly to the legitimate service, users experience a normal login and remain entirely unaware of the compromise.

These stolen credentials grant access to the organization’s identity provider (IdP), providing a single point of entry into multiple SaaS applications.

By abusing the trust relationship between the IdP and connected services, the attackers move laterally across the victim’s entire cloud ecosystem.

Once the attackers secure initial access, they immediately establish persistence by manipulating multifactor authentication (MFA) settings.

They typically remove existing MFA devices and register their own hardware to the compromised accounts while appearing to authenticate from a newly trusted device.

• SNARKY SPIDER almost exclusively enrolls Genymobile Android emulators to manage connected devices across different operating systems.
• CORDIAL SPIDER uses a broader range of mobile devices and Windows Quick Emulators (QEMU) for its authentication needs.
• Threat actors often register their malicious devices to long-standing accounts where MFA had not previously been enabled.
• Both groups systematically delete automated security emails from the victim’s inbox to hide unauthorized device registrations.
• Attackers deploy automated inbox rules to instantly filter messages containing keywords such as alert, incident, or MFA.

Rapid Data Exfiltration

With secure and stealthy access established, the threat actors execute targeted searches across connected SaaS platforms to locate high-value information.

They frequently query terms such as confidential, SSN, contracts, and VPN to prioritize business-critical documents and infrastructure credentials.

Following this reconnaissance phase, the adversaries move quickly to aggregate and download massive datasets.

In many documented incidents, SNARKY SPIDER begins high-volume data exfiltration within an hour of the initial compromise.

These rapid breaches exploit customer misconfigurations, such as missing phishing-resistant MFA, rather than underlying vulnerabilities in the SaaS platforms themselves.

To obscure their geographic locations and evade IP-based detection, both threat groups route their traffic through commercial VPNs and residential proxy networks.

Providers like Mullvad, Oxylabs, and NetNut assign real home-user IP addresses to attackers, making malicious activity appear as benign residential traffic.

Defending against these sophisticated techniques requires comprehensive SaaS security posture management and advanced anomaly detection.

Platforms like CrowdStrike Falcon Shield address these visibility gaps by applying deep SaaS expertise to analyze authentication flows and user behaviors.

By combining entity-aware statistical models with new-age network intelligence, security teams can reliably identify anonymization services, cluster adversarial infrastructure, and disrupt these high-speed cloud threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace appeared first on Cyber Security News.

Overview On April 15, NSFOCUS CERT detected that Microsoft released the April Security Update patch, fixing 165 security issues involving Windows, Microsoft Office, Microsoft SQL Server, Microsoft Visual Studio, Microsoft .NET Framework, Widely used products such as Azure, including high-risk vulnerability types such as privilege escalation and remote code execution. Among the vulnerabilities fixed by […]

The post Microsoft’s April Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on NSFOCUS.

The post Microsoft’s April Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on Security Boulevard.

More than 1,300 internet-exposed SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft says was exploited as a zero-day.

The post Microsoft Patch Still Leaves 1,300 SharePoint Servers Exposed appeared first on TechRepublic.

Microsoft Patch Tuesday security updates for April 2026 fixed 165 vulnerabilities, including an actively exploited SharePoint zero-day.

Microsoft Patch Tuesday security updates addressed 165 vulnerabilities, making it one of the largest updates by CVE count. One of the most interesting flaws fixed by the IT giant is a critical SharePoint zero-day, tracked as CVE-2026-32201, already exploited in attacks in the wild.

Security experts highlight the scale and urgency of this release, urging organizations to apply patches quickly to reduce exposure and prevent potential compromise from actively targeted flaws.

Eight of these flaws are rated Critical, two are rated as Moderate, and the rest are rated Important in severity.

CVE-2026-32201 (CVSS score of 6.5) is a spoofing vulnerability in Microsoft SharePoint Server, likely related to cross-site scripting (XSS). While details are limited, it could allow attackers to view or modify exposed information. Microsoft has not disclosed how widespread exploitation is, but given the potential impact, organizations, especially those with internet-facing SharePoint servers—should prioritize testing and applying the patch quickly.

“Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.” reads the advisory. “An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).” “Exploitation Detected”

• CVE-2026-33825 (CVSS score: 7.8) – Microsoft Defender Elevation of Privilege Vulnerability
  This publicly disclosed flaw can allow privilege escalation, though current exploits may face reliability issues. Despite that, it represents a real risk. Organizations relying on Defender should test and deploy the patch quickly to reduce exposure.
• CVE-2026-33827 (CVSS score: 8.1) – Windows TCP/IP Remote Code Execution Vulnerability
  This flaw enables remote, unauthenticated attackers to execute code without user interaction, making it potentially wormable on systems with IPv6 and IPSec enabled. Although it involves a race condition, such bugs are often exploitable. Prompt patching is strongly recommended.
• CVE-2026-33824 (CVSS score: 9.8) – Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability
  This critical flaw in Windows IKE service extensions could allow remote attackers to execute code on affected systems. Systems with IKE enabled are at risk, though blocking UDP ports 500 and 4500 can reduce exposure from external threats. However, internal attackers may still exploit it for lateral movement, so rapid patching is strongly recommended.

“By my count, this is the second-largest monthly release in Microsoft’s history. There are many things we could speculate on to justify the size, but if Microsoft is like the other programs out there (including ours), they are likely seeing a rise in submissions found by AI tools. For us, our incoming rate has essentially tripled, making triage a challenge, to say the least.” reported ZDI. “Whatever the reason, we have a lot of bugs to deal with this month. I should also point out that the Pwn2Own Berlin occurs next month, and it’s typical for vendors to patch as much as they can before the event.”

The full list of vulnerabilities addressed by Microsoft is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Patch Tuesday)

Microsoft SharePoint, a core platform for enterprise collaboration, is facing active exploitation through a newly confirmed vulnerability, tracked as CVE-2026-20963. Rooted in unsafe deserialization of user-controlled data, this vulnerability allows remote.

The post CVE-2026-20963: SharePoint Deserialization Remote Code Execution Vulnerability appeared first on Indusface.

The post CVE-2026-20963: SharePoint Deserialization Remote Code Execution Vulnerability appeared first on Security Boulevard.

Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses affect all versions of Windows, including Windows 10.

Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent. The zero-day threat concerns a memory corruption bug deep in the Windows innards called CVE-2025-62215. Despite the flaw’s zero-day status, Microsoft has assigned it an “important” rating rather than critical, because exploiting it requires an attacker to already have access to the target’s device.

“These types of vulnerabilities are often exploited as part of a more complex attack chain,” said Johannes Ullrich, dean of research for the SANS Technology Institute. “However, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.”

Ben McCarthy, lead cybersecurity engineer at Immersive, called attention to CVE-2025-60274, a critical weakness in a core Windows graphic component (GDI+) that is used by a massive number of applications, including Microsoft Office, web servers processing images, and countless third-party applications.

“The patch for this should be an organization’s highest priority,” McCarthy said. “While Microsoft assesses this as ‘Exploitation Less Likely,’ a 9.8-rated flaw in a ubiquitous library like GDI+ is a critical risk.”

Microsoft patched a critical bug in Office — CVE-2025-62199 — that can lead to remote code execution on a Windows system. Alex Vovk, CEO and co-founder of Action1, said this Office flaw is a high priority because it is low complexity, needs no privileges, and can be exploited just by viewing a booby-trapped message in the Preview Pane.

Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month. As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft account.

Judging from the comments on last month’s Patch Tuesday post, that registration worked for a lot of Windows 10 users, but some readers reported the option for an extra year of updates was never offered. Nick Carroll, cyber incident response manager at Nightwing, notes that Microsoft has recently released an out-of-band update to address issues when trying to enroll in the Windows 10 Consumer Extended Security Update program.

“If you plan to participate in the program, make sure you update and install KB5071959 to address the enrollment issues,” Carroll said. “After that is installed, users should be able to install other updates such as today’s KB5068781 which is the latest update to Windows 10.”

Chris Goettl at Ivanti notes that in addition to Microsoft updates today, third-party updates from Adobe and Mozilla have already been released. Also, an update for Google Chrome is expected soon, which means Edge will also be in need of its own update.

The SANS Internet Storm Center has a clickable breakdown of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on any updates gone awry.

As always, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.

[Author’s note: This post was intended to appear on the homepage on Tuesday, Nov. 11. I’m still not sure how it happened, but somehow this story failed to publish that day. My apologies for the oversight.]