Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because CORDIAL SPIDER and SNARKY SPIDER are active since October 2025, require no malware or endpoint access, exploit broadly deployed SaaS/IdP configurations reachable via vishing and credential interception, and face no meaningful detection barrier in MFA-only environments; impact is high because successful intrusion yields bulk exfiltration of email, files, and internal communications followed by direct extortion, with breach discovery delayed until external contact or data exposure occurs, compressing response time and amplifying regulatory, reputational, and financial consequences.
Treatment rationale: Active, financially motivated campaigns with confirmed tradecraft against a broadly held SaaS/IdP attack surface make acceptance or transfer the primary posture untenable; structural controls — phishing-resistant MFA, SaaS SSPM, IdP anomaly detection, and identity threat detection and response (ITDR) — directly reduce exploitability and dwell time for this specific threat vector.
Third-Party / Supply-Chain Risk
Material third-party and shared-platform exposure exists: federated identity providers (IdPs) serving multiple tenants are a single point of trust abuse — compromise of an IdP session or OAuth token grants CORDIAL SPIDER and SNARKY SPIDER access across all downstream SaaS integrations without touching any individual organization's endpoint estate. Organizations sharing an SSO provider with other tenants, or relying on a managed identity service, inherit the provider's session-security posture; weaknesses in the IdP's token issuance, revocation, or MFA enforcement propagate directly to all federated relying parties. NIST SP 800-161 supplier risk applies: the organization's effective identity perimeter is only as strong as the IdP's controls and the SaaS platform's session validation, neither of which are solely within the organization's direct control.
Loss Exposure (illustrative)
Magnitude: High — illustrative $500K–$5M per event
Frequency: Illustrative: an enterprise with broad SaaS/IdP exposure and MFA-only controls faces an illustrative 1-in-4 to 1-in-3 annual probability of being targeted by a campaign of this type, given the actors' active and expanding targeting since October 2025
Annualized: Illustrative ALE: $125K–$1.7M annually for an exposed organization, reflecting the product of illustrative frequency (0.25–0.33) and illustrative loss magnitude ($500K–$5M); this range widens materially if extortion is paid or regulatory action follows
Basis: Loss magnitude derived from: extortion demand potential for enterprise SaaS data (emails, files, internal communications represent high-leverage negotiation inventory for financially motivated actors); incident response costs for a no-endpoint-footprint breach (forensic reconstruction of SaaS audit logs is labor-intensive and often requires specialist ITDR capability); delayed discovery compresses response time and increases breach scope, elevating notification costs; reputational impact is elevated by the public extortion model used by both actors. Frequency derived from: both actors are actively operating as of the item date, targeting enterprises using mainstream SaaS/IdP stacks, with no technical barrier beyond MFA — which they are specifically designed to defeat. No external report figures were used.
Illustrative estimate — not actuarially derived. Figures are scenario-based and intended to support risk prioritization framing only. Do not use for insurance valuation, financial reporting, or regulatory disclosure.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Bulk exfiltration of emails and internal communications may constitute a reportable security event under cyber insurance policy incident-reporting provisions — verify notice obligations and timelines with broker before a breach occurs.
• PII or regulated data held in SaaS environments (HR systems, collaboration platforms) may invoke state and sector-specific breach-notification obligations if exfiltrated — verify applicability and notification deadlines with counsel.
• Extortion payment decisions may implicate cyber insurance ransomware/extortion coverage conditions and OFAC sanction-screening obligations — verify with broker and counsel prior to any payment consideration.
• SaaS and IdP vendor contracts may include security incident notification clauses running in both directions; a breach originating through a vendor-managed IdP may trigger mutual notification obligations — verify with counsel.
