CORDIAL SPIDER and SNARKY SPIDER are two distinct financially motivated threat actors conducting SaaS-centric intrusions since October 2025. Both actors bypass endpoint detection entirely, operating exclusively within SaaS platforms and federated identity providers after gaining access through vishing and adversary-in-the-middle session token theft. No CVE anchors these campaigns — the exposure is architectural, residing in MFA modality choices and help desk verification procedures.