Reports of Scattered Spider attacks on US insurance firms

What we know

As with previous attacks, Scattered Spider are heavily relying on social engineering including phishing, vishing, and IT helpdesk attacks. 

According to threat intel, the hackers are exploiting Data Loader, a legitimate Salesforce tool designed to help companies import, export and update large tranches of data within the Salesforce platform, using the same social engineering methods to manipulate service users in order to gain their log-in details to be used for greater access privileges. The tool also allows for integrations with other apps.  

We advise customers to be vigilant about email communications and always verify the identity of any call from IT, especially one you have not been expecting.  

Who are Scattered Spider?

Scattered Spider (also tracked under aliases such as 0ktapus, UNC3944, Octo Tempest, Muddled Libra, Starfraud, and Scatter Swine) emerged from a loose online community sometimes called “The Com”. This community consists of young, English-speaking threat actors who congregate on invite-only forums, Discord, and Telegram channels.  

The groups tactics typically include using phishing, social engineering and IT helpdesk attacks to gain a foothold, before deploying ransomware.

Notably, cybersecurity analysts assess that “Scattered Spider” is more of an umbrella label for a tactics cluster than a singular group. Multiple threat actors or sub-groups using the same playbook of phishing, social engineering, and dual extortion may all be categorised under Scattered Spider.

Prominent attacks and prosecutions

• 2022: A campaign against telecom providers involved SIM swapping and phishing to hijack mobile accounts
• 2023: Ransomware attack on MGM Resorts and Caesars Entertainment, using social engineering to gain IT helpdesk credentials and then deploying BlackCat/ALPHV ransomware.
• 2024: In late 2024, U.S. prosecutors indicted five individuals (ages 20–25 from the US and UK) linked to Scattered Spider for conducting phishing and fraud schemes against U.S. companies.
• 2025: Attacks on retail companies such Harrods, Co-op, M&S, Addidas and Victoria’s Secret.

Timing of the attacks

We know from the previous attacks that the group’s primary motivation for attacking around the Easter period is to cause maximum disruption to retail organisations. It would not be a surprise to see attacks finishing around upcoming public holidays such as US’s Independence Day (4th July) and school summer holidays in both the US and UK where resources are stretched and attention may be thin.  

Detection and mitigation strategies

You can better secure Scattered Spider’s preferred entry points by locking down Identity Access and Management (IDAM) controls:  

• Make phishing resistant MFA mandatory for every employee hardware, or app based tokens with number matching (as SMS verifications be exploited in SIM swap attacks).
• Insist on high assurance verification before anyone can enrol or reset a factor.  
• Layer conditional access rules that refuse logins from implausible locations.  
• Teach staff – especially high turnover, nontechnical workers – not to share onetime codes or mindlessly tap “Approve.”  

As Scattered Spider attackers lean on helpdesk social engineering, you should:

• Mandate out-of-band caller verification  
• Stop support personnel from ever asking for passwords or codes, and educate staff that their IT Team will never do this
• Security awareness should cover voice and SMS phishing, empowering employees to hang up, call back, and report flurries of push prompts.  
• Only provide the minimum access privileges needed to carry out roles  
• Third party vendors and contractors should operate under the same zero trust, least privilege model

Continuous visibility is equally critical.  

• Deploy EDR/XDR on every endpoint  
• Alert on any unsanctioned remote access tool or “impossible travel” login  
• Review application allowlisting and segment the network so a compromised VPN or store system cannot pivot straight to sensitive systems or domain controllers  
• Watch for large, unexpected transfers to cloud storage sites and unfamiliar external IPs, as this is a common sign of data exfiltration

Strip power from accounts and infrastructure that matter most:  

• Put domain, cloud, and hypervisor admins behind a privileged identity management vault with MFA, session recording, and timebound checkouts
• Disable legacy auth, and audit Active Directory for new or altered credentials that don’t belong
• Perform regular reviews of access as part of Joiners, Movers, Leavers (JML) procedures ensuring access isn’t maintained accidentally  
• Harden ESXi and other critical servers by restricting management access, enforcing unique passwords, and staying current on patches  

Finally, rehearse for the worst day. Run tabletop drills for “helpdesk account hijacked” or “ransomware spreading,” verify that offline backups restore quickly, and have a one-click plan to revoke MFA sessions or rotate every password in a segment. 

For more information about how you can defend your organisation from cyber-attacks including ransomware, speak to one of our cybersecurity experts, Luke Hudson or Tom Kinnaird