Why organizations need comprehensive defenses against this new breed of cybercriminal
This post is based on a threat intelligence report by Resilience Director of Threat Intelligence Andrew Bayers.
Scattered Spider has emerged as a sophisticated threat actor whose advanced social engineering tactics blur the lines between common cybercrime and nation-state tradecraft. Their tendency to tackle specific verticals at a time – as they did in the recent retail attacks in the UK and their attacks on casinos last year – means when they hit, they hit in a massive surge.
That factor, combined with recent reports that they may be targeting insurance companies as the 7/1 transition date approaches, means it’s imperative that organizations of all types are on the lookout for attack attempts. Here’s what you need to know.
What makes Scattered Spider different
Unlike traditional cybercriminals who rely primarily on automated attacks, Scattered Spider employs real-time interaction with victims, dramatically increasing their success rates. Their operational security is tight: they frequently rotate infrastructure and identities to avoid detection, making them particularly challenging to track and counter.
Perhaps most concerning is their ability to exploit the very trust mechanisms organizations put in place to protect themselves: multi-factor authentication (MFA), IT support processes, and third-party identity providers. They’ve weaponized the trust employees place in internal systems and support staff. Here’s how they do it.
1. IT impersonation
Scattered Spider attackers pose as internal IT support or help desk staff, using publicly available information from LinkedIn and corporate websites to make their impersonation convincing. A typical attack might involve a call like: “Hi Bob, this is Alice from IT. We’re seeing issues with your account and need you to re-authenticate. I’ll send a push to your phone.”
2. SIM swapping operations
By socially engineering telecom providers, Scattered Spider attackers port victims’ phone numbers to attacker-controlled SIM cards. This allows them to intercept SMS-based MFA codes and phone calls, effectively bypassing traditional two-factor authentication.
3. Advanced voice phishing (vishing)
These aren’t amateur cold calls. Scattered Spider operates call center-style operations with detailed scripts that reference internal systems like Okta, Azure AD, and VPN portals. They enhance credibility through spoofed caller IDs, voice modulation, and automation.
4. MFA fatigue attacks
Scattered Spider floods victims with repeated MFA requests, hoping frustration or confusion will lead to approval. This is often combined with real-time communication—calling the victim during the attack while pretending to be IT support.
5. Sophisticated phishing portals
Their credential harvesting operations involve cloning login pages for enterprise applications, complete with corporate branding. These fake portals are hosted on compromised domains or legitimate cloud services to avoid detection.
6. Identity provider exploitation
Once Scattered Spider gains initial access, they pivot through identity providers like Okta or Azure AD to enumerate users and escalate privileges, taking advantage of single sign-on (SSO) trust relationships across cloud and SaaS platforms.
7. Insider recruitment
Perhaps most alarming, they actively recruit insiders through forums and social media, offering substantial payments for credentials, access to internal portals, or assistance with MFA bypass.
8. AI-enhanced attacks
While not yet widely confirmed, there are reports suggesting potential use of AI-generated voice content and deepfakes to enhance their impersonation attempts, pointing to an even more sophisticated future threat landscape.
How to protect your organization
Given the sophistication of these attacks, traditional security measures alone aren’t sufficient. Organizations need a comprehensive approach that addresses both technical vulnerabilities and human factors.
Strengthening identity verification begins with implementing multi-layered identity verification that requires multiple forms of confirmation before acting on requests. Organizations should establish strict, documented authentication policies for help desk interactions and train staff to verify identities through out-of-band communication channels. This creates multiple checkpoints that make it significantly harder for attackers to maintain their deception.
Zero trust principles must be enforced consistently across all systems by applying the principle of least privilege and restricting access to powerful administrative tools to a small number of trusted users. Role-based access controls should be implemented with regular reviews to ensure permissions remain appropriate as roles change. This approach assumes that no user or system should be trusted by default, regardless of their location or credentials.
Connected application security requires maintaining strict control over who can authorize or install connected applications, using IP-based restrictions and allowlisting for approved applications, and monitoring all connected app activities. Since Scattered Spider often targets platforms like Salesforce, organizations should pay particular attention to tools like Data Loader and permissions such as “API Enabled” and “Customize Application.”
Real-time monitoring capabilities should include security event monitoring tools to track suspicious activities like mass data downloads, endpoint detection and response (EDR) systems to detect credential-stealing malware, and automated alerts for unusual access patterns. The goal is to detect and respond to threats as they occur, rather than discovering them after damage has been done.
MFA implementation needs to go beyond basic requirements to include phishing-resistant MFA using physical security keys that comply with FIDO2 standards. While requiring MFA for all access, including APIs and connected applications, is essential, organizations must also train users to recognize and report suspicious MFA requests, particularly the flood of requests characteristic of fatigue attacks.
Human-centered security investments should provide regular, targeted security training for help desk and IT personnel while educating privileged users about social engineering tactics and current threat trends. Creating a culture where employees feel comfortable questioning suspicious requests is crucial, as many successful attacks rely on victims’ reluctance to challenge apparent authority figures.
Third-party risk management involves auditing and limiting vendor access to only necessary systems, using temporary credentials where possible for external access, and monitoring third-party activities for unusual behavior patterns. Since Scattered Spider often exploits trust relationships, organizations must be particularly vigilant about external access points.
The bottom line
The threat landscape is evolving rapidly, and so must our defenses. By understanding these tactics and implementing comprehensive countermeasures, organizations can significantly reduce their risk of falling victim to these sophisticated social engineering campaigns.
