In recent months, headlines have been dominated by the cybercrime collective known as Scattered Spider, also referred to as UNC3944, Scattered Swine, Octo Tempest, Storm-0875, and Muddled Libra. This loosely but highly organized group has launched a wave of attacks targeting retailers, insurers, and, most recently, airlines across multiple countries.
Although British authorities arrested four suspects in July 2025, which led to a noticeable slowdown in activity, this may only be temporary. Scattered Spider is not a monolithic, state-sponsored operation. Rather, it is a decentralized collective, often composed of teenagers and young men emerging from online communities. The group first made headlines in 2023 with high-profile attacks on casino giants like MGM Resorts. Despite the consistency and visibility of their tactics, many organizations have failed to adequately strengthen their defenses. This raises the question: why have so few taken decisive actions to counter these persistent threats?
Inside the Scattered Spider Playbook
Scattered Spider engages in data extortion and a variety of other criminal activities. Its threat actors are known to deploy multiple ransomware variants in their attacks, most recently including DragonForce ransomware. While the group frequently adapts its tactics, techniques, and procedures (TTPs) to remain undetected, several methods remain consistent. Common TTPs include the following:
- Initial Access: The group extensively uses social engineering tactics such as phishing, push bombing (spamming multi-factor authentication prompts), and SIM swap attacks to steal credentials, install remote access tools, and bypass multi-factor authentication (MFA).
- Attack Execution: Leveraging living-off-the-land techniques, the attackers use native Windows tools such as PowerShell, Rundll32, WMIC, and Task Scheduler. This helps them avoid detection by traditional antivirus and endpoint detection and response (EDR) systems.
- Persistence: Scattered Spider abuses identity providers such as Okta, Microsoft Entra, and Active Directory to create backdoor administrative accounts, modify authentication workflows, and inject custom SAML tokens. They frequently use remote access tools like AnyDesk™, TeamViewer®, ScreenConnect™, and Splashtop® to blend in with legitimate IT activity.
- Privilege Escalation: The attackers enumerate internal accounts and groups, using built-in commands. They also exploit cloud privileges, such as roles in AWS or GCP, to escalate access and expand their footprint.
- Internal Reconnaissance: As with many advanced adversaries, the group maps out network topology to identify high-value systems such as domain controllers, file shares, and backup servers. They also extract sensitive data and credentials from platforms like Confluence, Jira, Slack, and SharePoint.
- Impact and Extortion: Scattered Spider often partners with ransomware groups such as ALPHV/BlackCat or RansomHub to encrypt data and issue ransom demands, typically requesting cryptocurrency. The group follows the broader trend of double or triple extortion, threatening to leak stolen data, contact regulators or customers, or launch follow-up attacks if demands are not met.
The Help Desk Blind Spot
One of Scattered Spider’s most effective and recognizable tactics involves impersonating IT help desk personnel via phone calls or text messages to obtain credentials or persuade employees to install remote access software. More recently, the group has reversed roles, now posing as employees to deceive IT or help desk staff into revealing sensitive information, resetting passwords, and transferring MFA tokens to attacker-controlled devices.
In doing so, the attackers are exploiting a significant security oversight: IT help desks are often viewed as internal and inherently trustworthy, and as a result, are frequently excluded from multi-layered cybersecurity strategies. This is a critical blind spot that organizations must address immediately.
How to Minimize Risk Exposure
To reduce risks associated with Scattered Spider’s tactics, organizations should implement the following measures:
- Implement application controls, including white-listing for remote access tools
- Require phishing-resistant MFA such as FIDO2 or PKI-based authentication
- Restrict the use of Remote Desktop Protocol (RDP) and other remote access tools
- Develop and evaluate a robust business continuity plan, and maintain offline backups
- Enforce NIST-compliant password policies across all accounts
- Regularly patch and update all operating systems, applications, and firmware
- Restrict administrative privileges and use just-in-time access where possible
To address the specific help desk vulnerability, organizations should introduce multi-step identity verification for all password resets and access recovery requests. Identity proofing and continuous verification are now essential components of any modern cybersecurity framework. They protect against identity-based threats, support compliance efforts, improve user experience, and strengthen organizational trust.
Conclusion
Scattered Spider and similar cybercriminal groups continue to represent a persistent and evolving threat. To stay ahead, organizations must implement holistic security strategies that cover all areas of their operations, including IT help desks. These often-overlooked teams have become prime targets.
In a threat landscape increasingly shaped by social engineering and ransomware, proactive defense, layered protection, and closing internal security gaps are not optional; they are essential.
