The Problem With Speed
Last week I was building a Zapier workflow for a client—nothing fancy, just syncing Stripe payments to HubSpot. Standard stuff. But halfway through, I realized something uncomfortable: I was creating the exact kind of integration corridor these attack groups love. No complex firewall. No elaborate security theater. Just token-based access, assumed trust, and the assumption that if something breaks, we'll notice.
We won't notice. Not in time.
What's happening right now with Cordial Spider and Snarky Spider isn't sophisticated in the way we usually think about sophisticated attacks. They're not zero-days. They're not breaking encryption. They're using vishing—social engineering phone calls—to grab credentials, then abusing single sign-on (SSO) systems to move laterally through your entire SaaS stack. The speed is the weapon. In, extract, out. Minimal forensic traces.
I'm not sure this is the right framework to think about it in, but these aren't really hacking groups in the traditional sense—they're acting more like efficient data extraction consultants who don't care about breaking things, just about accessing what they came for.
Why Automation Makes You Vulnerable
- Every integration you add is another token stored, another API secret sitting in an environment file or third-party service
- OAuth flows that seemed brilliant in 2020
- The person who set up your Slack-to-Salesforce automation in 2019 probably isn't even at your company anymore
- Your SaaS vendor's security is now your security, whether you like it or not, and I genuinely don't know how to fix that
Here's the uncomfortable part: I build integrations that assume good faith. I use Zapier, Make, and custom APIs with the fundamental belief that if someone gets a valid token, they probably belong there. That's not naive—that's the entire architecture of modern SaaS. But when someone answers their phone at 2 PM on a Tuesday and tells an employee they're from IT, asking for their Okta password, that token now belongs to someone who definitely doesn't.
The extraction happens in hours. Maybe days if they're being cautious. By the time your security team notices the weird API calls in the logs, they've already copied customer data, financial records, whatever had value.
What I'm Actually Doing About This
I've started asking uncomfortable questions when clients want new integrations. Not to block them—that's not realistic in 2024—but to understand what data moves through the connection and whether it really needs to be automated at all.
Some changes I'm making:
- Rotating API keys quarterly now, though I'm not certain this actually stops determined attackers since they can just grab the new ones
- Using service accounts instead of personal credentials for automation. Obvious in retrospect, embarrassing how many workflows still run on someone's actual Salesforce login
- Adding logging to integrations that didn't have it, which feels like closing the barn door after the horses left, but
- Actually talking to clients about what their employees will do if someone calls claiming to be support
The last one is the only thing that genuinely matters. Training. Not the annual checkbox compliance video, but actual conversation about why someone might call asking for credentials and what that should trigger in someone's brain. Vishing works because it doesn't feel like an attack—it feels like someone doing their job asking you to do yours.
The Honest Part
I don't have a clean answer here. I can't architect my way out of this problem. The entire value proposition of modern SaaS is integration—everything connects to everything else, and that's simultaneously why it's powerful and why it's exploitable. Tighten security too much and your business can't operate at the speed required to compete. Loosen it and you become a data extraction platform for organized crime.
What concerns me most isn't that these attacks exist. It's that they're efficient enough to be profitable, which means they'll scale.
