Scattered Spider don’t break in. They log in.

What happened? 

The April 2025  cyber-attacks on major UK retailers including Marks & Spencer, Co-op, and Harrods have been linked to Scattered Spider, a loosely organised group of young, native English and English-speaking  individuals.

The group is known for using social engineering tactics against helpdesk teams and exploiting MFA “push fatigue”, SIM Swapping and pressure to gain access environments. The threat actors use valid credentials and off-the-shelf admin tools to move laterally across the network before deploying ransomware (DragonForce in the case of M&S). Co-op and Harrods have now also reported cyber incidents and have restricted access to internal systems on 30 April and 1 May respectively.

This attack pattern – a single compromised login leading to data theft and double extortion – highlights the increasing pressure on organisations with distributed workforces and third-party IT providers.

Scattered Spider actors have since been observed working with or switching between several ransomware-as-a-service (RaaS) platforms, including BlackCat/ALPHV, Ransom.Hub, Qilin, and most recently DragonForce. This affiliate model allows them to “rent” or white-label ransomware from larger gangs in exchange for a share of the profits.

What can you do?

Most successful cyber-attacks exploit a range of security controls which encompass people, processes and technology. Attackers like Scatterer Spider exploit trusting people, gaps in IT and security procedures, and inconsistent enforcement of IT policies, as much as they target technological vulnerabilities. A robust security programme which can defend against such cyber-attacks requires an organisation-wide approach from frontline teams and IT support, to executive decision-makers, and even those in charge of supplier management.

Developing an organisation-wide view of where your security risks lie is no easy task. To do so effectively requires buy-in, money and manpower. Read our eBook to learn more about how you can build a comprehensive vulnerability management programme, which will provide an overview of your security risks and what steps you need to do in order to reduce your risk.  

At a broad level, employee awareness, having strong network segmentation and patching business-critical systems in reasonable timeframes is a baseline that will reduce the likelihood of an attacker gaining a foothold on your network, or further escalating their privileges as part of their attack. 

Detection and mitigation strategies – People  

How trusting are your staff? Do they open attachments and click hyperlinks they shouldn’t? What do your employees do if they receive a call from the IT helpdesk that they weren’t expecting? Are they confident verifying a caller’s identity?

Social engineering isn’t going anywhere and human error can be the weak link which lets attackers gain a foothold. But there are actions you can take to educate and upskill your employees, including:

• Security awareness training including information on social engineering
• Simulated phishing campaigns for targeted training and education
• Encouraging accountability for all employees, most especially those in the IT and Security teams, and throughout your management community 

Detection and mitigation strategies – Process

Stringent security policies and procedures, when strictly enforced, help prevent cyber-attackers escalating their privileges and causing greater damage. They make the job of defending your organisation easier. Here are a few things you can do:

• Adhere to the principle of least privilege, so that users only have access to information and systems they need to perform their role. Review access privileges regularly, so there are no outstanding overly privileged accounts
• Test if your MFA is phishing resistant
• Develop an incident response plan with playbooks that cover a range of scenarios.  Run tabletop drills for “helpdesk account hijacked” or “ransomware spreading” scenarios
• Regularly review your incident response plan with the latest threat intelligence to make sure it stands up in the face of evolving attack techniques

Detection and mitigation strategies – Technology

Finally, there are a range of technical security controls you can implement across your IT estate.  

Companies can defend against Scattered Spider’s preferred entry points by locking down Identity Access and Management (IDAM) controls:  

• Make phishing resistant MFA mandatory for all employee hardware, or app-based tokens with number matching (as SMS verifications be exploited in SIM swap attacks)
• Mandate that phone calls are used to verify users when password resets are requested
• Insist on high assurance verification before anyone can enrol or reset a factor  
• Layer conditional access rules that refuse logins from implausible locations  
• Educate staff – especially high turnover, nontechnical workers – not to share onetime codes or mindlessly tap “Approve.”  

As Scattered Spider attackers lean on helpdesk social engineering, you should:

• Mandate outofband caller verification  
• Stop support personnel from ever asking for passwords or codes, and educate staff that their IT Team will never do this
• Security awareness should cover voice and SMS phishing, empowering employees to hang up, call back, and report flurries of push prompts.  
• Only provide the minimum access privileges needed to carry out roles  
• Thirdparty vendors and contractors should operate under the same zerotrust, leastprivilege model 

Continuous visibility is equally critical. To ensure that you are able to detect anomalous behaviour that may constitute a cyber-attack in progress, you should: 

• Deploy EDR/XDR on every endpoint  
• Alert on any unsanctioned remoteaccess tool or “impossible travel” login  
• Review application allowlisting and segment the network so a compromised VPN or store system cannot pivot straight to payment or domain controllers
• Watch for large, unexpected transfers to cloudstorage sites and unfamiliar external IPs, as this is a common sign of data exfiltration

Remove access privileges from accounts and infrastructure that matter most:  

• Put domain, cloud, and hypervisor admins behind a privilegedaccessmanagement vault with MFA, session recording, and timebound checkouts  
• Disable legacy authorisation, and audit Active Directory for new or altered credentials that don’t belong  
• Harden ESXi and other critical servers by disabling shells, enforcing unique passwords, and staying current on patches 

As part of your incident response plan, you should:

• Verify that offline backups can be restored quickly
• Have a oneclick plan to revoke MFA sessions or rotate every password in a segment  

To discuss your cybersecurity strategy needs with a team of technical and business specialists, get in touch.