Following disruptive attacks on major UK retailers including Marks & Spencer and Co-op, the threat actor Scattered Spider has once again drawn attention for its evolving use of help desk social engineering to bypass authentication and take over high-privilege accounts—leading to data theft, ransomware deployment, and significant financial damage.
Estimates suggest that Marks & Spencer alone may suffer hundreds of millions in losses, with the incident sparking widespread media coverage beyond the cybersecurity space.
🎭 Help Desk Scams as an Initial Access Vector
At the center of these incidents is a technique long favored by Scattered Spider: calling help desks to impersonate employees and request MFA resets or password recovery.
This attack often begins with the threat actor contacting IT support with enough personally identifiable information (PII) to appear legitimate. Common tactics include:
- Claiming to have a new phone and requesting an MFA reset
- Asking to send reset links to a “new” phone number or email address
- Taking advantage of uniform help desk procedures that treat all users the same—regardless of privilege level
Once control of the account is achieved, attackers can reset passwords via platforms like Okta or Entra ID, using the new MFA method they’ve enrolled. From there, access to sensitive cloud services, admin panels, or production systems becomes trivial.
🕵️ Scattered Spider’s Broader Playbook
While help desk scams are a proven technique, they are not new. Scattered Spider has employed similar tactics since at least 2022, including in high-profile breaches of:
- Caesars (2023) – Resulted in theft of a loyalty program database and a $15 million ransom
- MGM Resorts (2023) – Led to 6TB of stolen data, over $100 million in damages, and legal settlements
- Transport for London (2024) – Exposed thousands of banking details and caused months-long service disruptions
These incidents were all initiated through voice-based social engineering, including vishing and help desk manipulation.
Beyond help desks, the group utilizes a broad arsenal of identity-first tactics:
🧰 Known Techniques Include:
- Credential phishing via email and SMS (smishing)
- SIM swapping to hijack MFA-protected accounts
- Push bombing (MFA fatigue) to overwhelm users into approving logins
- AiTM (Adversary-in-the-Middle) phishing kits like Evilginx to bypass MFA and hijack sessions
- Domain registrar hijacking to seize control of MX records and redirect email flows
- Tampering with logging (e.g., selectively filtering AWS CloudTrail logs to cover tracks)
Scattered Spider’s operations are methodical: initial identity compromise → lateral movement via cloud → privilege escalation → data theft or ransomware payload.
In some cases, attackers gain access to VMware environments by adding their account to vCenter’s admin group, then executing ransomware directly through the ESXi hypervisor—a layer often overlooked by endpoint protection tools.
🛡️ Defending Against Identity-Based Attacks
SecurityX analysis highlights the importance of reforming help desk procedures and hardening identity surfaces. Suggested measures include:
- Multi-party approval for resetting admin-level accounts
- In-person or video-based verification (with deepfake awareness)
- Freezing self-service resets when anomalous behavior is detected
- Flagging privilege-based reset requests for manual escalation
- Monitoring for suspicious login flows and MFA activity
While terminating a suspicious call and redialing the number on file is a good practice, SIM swapping may render this ineffective.
📌 SecurityX Insight:
Scattered Spider represents a new class of “post-MFA” threat actors. By focusing on identity systems and bypassing traditional defenses, they sidestep firewalls, endpoint detection, and even zero trust controls—only appearing at the final stage of attack execution.
Organizations should move beyond endpoint-centric strategies and place identity protection, visibility, and behavioral monitoring at the center of their defense stack.
