Resilience of Global Navigation Satellite System (GNSS) usage against spoofing attacks can be increased by signal monitoring algorithms aiming to detect a spoofing signal at the acquisition stage of GNSS receiver signal processing. A common approach is to search for the presence of multiple correlation peaks in the absolute value of the Cross-Ambiguity Function (CAF). In this context, it is particularly challenging to detect spoofing signals with a correlation peak closely aligned to that of the authentic signal, as is the case at the early stage of a coherent spoofing attack. In the present work, a spoofing detection method is proposed that monitors the magnitude of the CAF by means of clustering techniques. It is designed to detect the pull-off during a coherent power-matched spoofing attack already at an early stage. The method is evaluated for the GPS L1 C/A signal based on a static scenario of the Texas Spoofing Test Battery (TEXBAT) data set as well as for the Galileo E1-B signal based on a real-world digital snapshot recording in the E1 frequency band which is augmented by emulated spoofing signals at the level of digital signal processing.