Threatonomics

How Scattered Spider’s vertical-focused strategy creates industry-wide security emergencies

by Emma McGowan , Senior Writer
Published

Why organizations need comprehensive defenses against this new breed of cybercriminal

This post is based on a threat intelligence report by Resilience Director of Threat Intelligence Andrew Bayers.

Scattered Spider has emerged as a sophisticated threat actor whose advanced social engineering tactics blur the lines between common cybercrime and nation-state tradecraft. Their tendency to tackle specific verticals at a time – as they did in the recent retail attacks in the UK and their attacks on casinos last year – means when they hit, they hit in a massive surge. 

That factor, combined with recent reports that they may be targeting insurance companies as the 7/1 transition date approaches, means it’s imperative that organizations of all types are on the lookout for attack attempts. Here’s what you need to know.

What makes Scattered Spider different

Unlike traditional cybercriminals who rely primarily on automated attacks, Scattered Spider employs real-time interaction with victims, dramatically increasing their success rates. Their operational security is tight: they frequently rotate infrastructure and identities to avoid detection, making them particularly challenging to track and counter.

Perhaps most concerning is their ability to exploit the very trust mechanisms organizations put in place to protect themselves: multi-factor authentication (MFA), IT support processes, and third-party identity providers. They’ve weaponized the trust employees place in internal systems and support staff. Here’s how they do it.

1. IT impersonation

Scattered Spider attackers pose as internal IT support or help desk staff, using publicly available information from LinkedIn and corporate websites to make their impersonation convincing. A typical attack might involve a call like: “Hi Bob, this is Alice from IT. We’re seeing issues with your account and need you to re-authenticate. I’ll send a push to your phone.”

2. SIM swapping operations

By socially engineering telecom providers, Scattered Spider attackers port victims’ phone numbers to attacker-controlled SIM cards. This allows them to intercept SMS-based MFA codes and phone calls, effectively bypassing traditional two-factor authentication.

3. Advanced voice phishing (vishing)

These aren’t amateur cold calls. Scattered Spider operates call center-style operations with detailed scripts that reference internal systems like Okta, Azure AD, and VPN portals. They enhance credibility through spoofed caller IDs, voice modulation, and automation.

4. MFA fatigue attacks

Scattered Spider floods victims with repeated MFA requests, hoping frustration or confusion will lead to approval. This is often combined with real-time communication—calling the victim during the attack while pretending to be IT support.

5. Sophisticated phishing portals

Their credential harvesting operations involve cloning login pages for enterprise applications, complete with corporate branding. These fake portals are hosted on compromised domains or legitimate cloud services to avoid detection.

6. Identity provider exploitation

Once Scattered Spider gains initial access, they pivot through identity providers like Okta or Azure AD to enumerate users and escalate privileges, taking advantage of single sign-on (SSO) trust relationships across cloud and SaaS platforms.

7. Insider recruitment

Perhaps most alarming, they actively recruit insiders through forums and social media, offering substantial payments for credentials, access to internal portals, or assistance with MFA bypass.

8. AI-enhanced attacks

While not yet widely confirmed, there are reports suggesting potential use of AI-generated voice content and deepfakes to enhance their impersonation attempts, pointing to an even more sophisticated future threat landscape.

How to protect your organization 

Given the sophistication of these attacks, traditional security measures alone aren’t sufficient. Organizations need a comprehensive approach that addresses both technical vulnerabilities and human factors.

Strengthening identity verification begins with implementing multi-layered identity verification that requires multiple forms of confirmation before acting on requests. Organizations should establish strict, documented authentication policies for help desk interactions and train staff to verify identities through out-of-band communication channels. This creates multiple checkpoints that make it significantly harder for attackers to maintain their deception.

Zero trust principles must be enforced consistently across all systems by applying the principle of least privilege and restricting access to powerful administrative tools to a small number of trusted users. Role-based access controls should be implemented with regular reviews to ensure permissions remain appropriate as roles change. This approach assumes that no user or system should be trusted by default, regardless of their location or credentials.

Connected application security requires maintaining strict control over who can authorize or install connected applications, using IP-based restrictions and allowlisting for approved applications, and monitoring all connected app activities. Since Scattered Spider often targets platforms like Salesforce, organizations should pay particular attention to tools like Data Loader and permissions such as “API Enabled” and “Customize Application.”

Real-time monitoring capabilities should include security event monitoring tools to track suspicious activities like mass data downloads, endpoint detection and response (EDR) systems to detect credential-stealing malware, and automated alerts for unusual access patterns. The goal is to detect and respond to threats as they occur, rather than discovering them after damage has been done.

MFA implementation needs to go beyond basic requirements to include phishing-resistant MFA using physical security keys that comply with FIDO2 standards. While requiring MFA for all access, including APIs and connected applications, is essential, organizations must also train users to recognize and report suspicious MFA requests, particularly the flood of requests characteristic of fatigue attacks.

Human-centered security investments should provide regular, targeted security training for help desk and IT personnel while educating privileged users about social engineering tactics and current threat trends. Creating a culture where employees feel comfortable questioning suspicious requests is crucial, as many successful attacks rely on victims’ reluctance to challenge apparent authority figures.

Third-party risk management involves auditing and limiting vendor access to only necessary systems, using temporary credentials where possible for external access, and monitoring third-party activities for unusual behavior patterns. Since Scattered Spider often exploits trust relationships, organizations must be particularly vigilant about external access points.

The bottom line

The threat landscape is evolving rapidly, and so must our defenses. By understanding these tactics and implementing comprehensive countermeasures, organizations can significantly reduce their risk of falling victim to these sophisticated social engineering campaigns.

You might also like

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]

Why vendor discovery matters now (and how most organizations get it wrong)

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to […]

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]

A complete guide to domain spoofing

Domain spoofing is a cyberattack technique most commonly used in phishing and fraud, where criminals impersonate a legitimate organization’s domain name to deceive users. Think of it as digital identity theft at scale: Attackers make fraudulent emails or websites appear as if they originate from your trusted company domain, tricking victims into revealing sensitive data, […]

The 3 types of CISOs: How to succeed in any version – and what to do when you’re misaligned

As the CISO, are you and your organization in alignment? The CISO role has evolved dramatically over the past decade, but organizational cybersecurity programs have not always kept pace.  If you think about CISOs like software versions, version 1.0 is your first generation of CISOs, focused on structure and technical architecture. Version 2.0 moves beyond […]