scattered-spider

Scattered Spider

also known as: UNC3944 Octo Tempest 0ktapus Storm-0875 Muddled Libra

A loosely organized collective of predominantly English-speaking teenagers and young adults who weaponize phone calls, identity deception, and third-party trust relationships to bypass multi-factor authentication and deploy ransomware. Responsible for the MGM Resorts breach ($100M+), the Caesars Entertainment ransom ($15M), and a 90-day campaign in 2025 that crippled UK retailers, insurers, and airlines. As of mid-2025, a joint FBI/CISA advisory confirmed the group is actively targeting critical infrastructure sectors — with evolving tactics that now include IT helpdesk impersonation over Microsoft Teams and remote system takeover via Quick Assist.

attributed originUSA / United Kingdom

affiliation"The Com" online community

first observed~2022

primary motivationFinancial — ransomware / extortion

primary targetsRetail, Hospitality, Insurance, Critical Infrastructure

known campaigns$250M+ estimated damages

mitre att&ck groupG1015

ransomware partnerDragonForce (2025)

threat levelHIGH

Overview

Scattered Spider defies the conventional profile of a sophisticated threat actor. There are no state sponsors, no custom implants developed by a professional engineering team, no classified intelligence support. The group is, by every account, primarily composed of teenagers and young adults — many of whom were still in secondary school during their earliest operations. What they lack in technical sophistication, they compensate for with something significantly harder to defend against: an almost instinctive understanding of how organizations trust people over the phone.

The group emerged from "The Com" — a sprawling online criminal community that recruits from gaming platforms like Roblox and Discord, mentors members in social engineering techniques, and has produced some of the most financially damaging cybercriminals of the 2020s. Scattered Spider's members are native English speakers, which eliminates the accent-based suspicion that trips up many non-English-speaking attackers when calling corporate help desks.

Their defining technique is straightforward in concept and devastatingly effective in practice: call a company's IT help desk, impersonate an employee, and convince the help desk operator to reset MFA or grant access. In September 2023, a single ten-minute phone call gave them access to MGM Resorts' entire internal network, ultimately costing the company more than $100 million. That same month, Caesars Entertainment paid a $15 million ransom rather than face similar disruption. The technique has since evolved: the group and closely affiliated actors now place those calls over Microsoft Teams, exploiting a default Teams configuration that allows external accounts to initiate calls with internal users — enabling impersonation of IT helpdesk staff without needing to compromise anything in advance.

warning

Scattered Spider's primary attack vector — voice-based social engineering of IT help desks — is not stopped by technical controls. Organizations that do not have explicit callback verification and out-of-band identity confirmation processes for MFA resets are vulnerable regardless of the strength of their technical security stack.

Microsoft Teams IT Helpdesk Impersonation

Scattered Spider built its reputation on phone-based vishing — but the underlying technique has evolved into a more technically layered attack chain that exploits Microsoft's own collaboration infrastructure. The group's confirmed TTPs include IT helpdesk impersonation via Microsoft Teams, documented by MITRE ATT&CK (G1015), MOXFIVE, and implicitly by the July 2025 FBI/CISA joint advisory referencing "more sophisticated social engineering techniques." Closely affiliated actors — particularly Storm-1811 (tracked by Microsoft), STAC5777 (tracked by Sophos), and Sangria Tempest — operate what is effectively the same playbook and have produced the most forensically documented examples of the full Teams-to-Quick Assist chain. The overlap is significant: MITRE links Storm-1811 directly to Black Basta, Sophos links STAC5777 to Storm-1811, and multiple vendors note Scattered Spider's social engineering template underpins all of these groups. Where specific techniques below are confirmed for the affiliated actors but reported-rather-than-confirmed for Scattered Spider directly, this is noted explicitly.

The Email Bombing Precursor

The Teams-based variant typically begins not with a call, but with an inbox attack. The target employee's Outlook mailbox is flooded with subscription spam — in documented Storm-1811 and STAC5777 incidents investigated by Sophos, this reached over 3,000 messages in under 45 minutes. The flood is deliberate: it creates genuine distress, gives the employee a real reason to contact IT, and — critically — gives the attacker a pretext when they call first. The employee is already expecting someone to help them. When the Teams call arrives offering to fix the spam problem, the social engineering has already done most of its work before a word is spoken. MOXFIVE reports Scattered Spider using a functionally identical precursor in its Teams-based campaigns.

The Teams Call and Why It Works

The attacker operates a purpose-registered external Microsoft 365 tenant — a fully legitimate account, not a compromised one — and uses it to place a Teams voice or video call directly to the target employee. This exploits a Microsoft Teams default configuration that permits users on any external domain to initiate calls and chats with internal users. The call appears in Teams exactly as a legitimate internal support call would. The attacker's display name is set to something plausible — "Help Desk Manager," "IT Support," or a variant of the organization's actual IT team name.

Organizations using managed service providers for IT support face compounded exposure: their employees are already conditioned to receive support calls from accounts outside their primary domain. When a call arrives from an external account claiming to be the MSP's helpdesk, the scenario matches exactly what employees have been trained to expect as normal. Sophos documented this precisely in a November 2024 STAC5777 incident: the targeted employee accepted the call without suspicion because the organization's IT was managed externally, making external Teams accounts an expected contact channel. Microsoft's DART team confirmed the same social context in a November 2025 intrusion case — two employees recognized the call as suspicious and refused; a third did not.

Quick Assist Takeover — Attribution and Mechanics

Once the call is established, the attacker guides the employee through opening Windows Quick Assist, a remote assistance utility built into Windows that requires no installation and carries no inherent security warnings to most users. This technique is firmly and multiply confirmed for Storm-1811 (Microsoft, May 2024) and STAC5777 (Sophos, January 2025). MOXFIVE explicitly states the technique "was first observed in late 2024 during incidents involving Black Basta and has since been adopted by Scattered Spider." That adoption claim is from a single private vendor and is not yet corroborated by independent advisories naming Scattered Spider and Quick Assist together — but given the degree of TTP overlap between Scattered Spider and these affiliated actors, and the group's established pattern of rapidly incorporating effective techniques from its network, it is assessed as plausible and operationally significant for defenders to treat as current.

With remote control established, the documented post-access chain in Storm-1811 and STAC5777 intrusions proceeds as follows: the attacker uses the Quick Assist session to open a browser, downloading malicious payloads staged on Microsoft Azure Blob Storage subdomains (subdomains of blob.core.windows.net) and attacker-controlled SharePoint links — both of which are Microsoft infrastructure, deliberately chosen because traffic to these domains generates few or no alerts in standard network monitoring. Payloads observed include trojanized executables that sideload malicious DLLs using trusted Windows mechanisms, encrypted loaders, and the BackConnect malware for persistent C2. DarkGate has been observed as a follow-on payload in separate but related campaigns. The attacker also uses the Quick Assist session to access RDP configuration files and network topology diagrams to plan lateral movement — Sophos documented one incident where a Visio network diagram was accessed for exactly this purpose.

Command-and-control traffic is routed through proxy infrastructure specifically to blend with normal enterprise outbound connections and avoid triggering network anomaly detection. In intrusions investigated by Microsoft's DART team, this approach successfully obscured attacker activity until DART was called in — and even then, forensic reconstruction required correlating Quick Assist session artifacts, browser history, and DLL sideloading indicators across multiple systems.

critical — energy sector

Energy, utilities, and other critical infrastructure organizations are specifically named in the July 2025 FBI/CISA joint advisory as active Scattered Spider targets. These organizations face compounded exposure to the Teams/Quick Assist variant because many rely on outsourced IT and OT support contracts — meaning employees are already conditioned to receive help desk calls from external accounts, which is the exact social context the attack exploits. In the affiliated Storm-1811/STAC5777 intrusions, attackers specifically targeted VPN configuration files and domain credentials after gaining access — material that, in energy sector environments, can represent a pathway from the IT network toward operational technology systems. While direct confirmed Scattered Spider intrusions into energy sector OT environments have not been publicly documented, the July 2025 advisory's explicit naming of critical infrastructure as an active target sector, combined with the group's pattern of rapidly escalating within and across sectors, makes this a credible near-term risk rather than a theoretical one.

critical — energy sector

Energy, utilities, and other critical infrastructure organizations are specifically named in the July 2025 FBI/CISA joint advisory as active targets. Companies with outsourced IT or OT support contracts — where employees expect calls from external Teams accounts — face heightened exposure to this exact scenario. Successful compromise of VPN configuration files and credential material in these environments creates pathways from IT networks into operational technology systems.

Signature Attack Chain

The Scattered Spider playbook is consistent across campaigns. Understanding the chain is the first step to breaking it.

standard attack sequence — 2022–2026

Target Reconnaissance

LinkedIn, company directories, and social media to identify employee names, titles, IT staff, and third-party vendors. The goal is to sound like an insider when calling.

Vishing — Help Desk Call or Teams Impersonation

Caller impersonates a target employee or, in the evolved variant, places an inbound Microsoft Teams call from an attacker-controlled external M365 tenant posing as IT helpdesk. Often preceded by email bombing the target's inbox to create urgency. Native English fluency and pre-researched personal details make the call convincing regardless of channel.

Remote Access Tool Deployment

Scattered Spider is confirmed by CISA, Cyble, and multiple incident responders to deploy numerous legitimate RMM tools post-access — AnyDesk, ScreenConnect, Zoho Assist, Splashtop, TeamViewer, and others — sometimes installing half a dozen simultaneously to ensure persistence if one is discovered. In the Teams-based variant, closely affiliated actors Storm-1811 and STAC5777 are confirmed to use Windows Quick Assist as the initial remote access mechanism, guided via the Teams call. MOXFIVE reports this Quick Assist technique has since been adopted by Scattered Spider itself; this is not yet corroborated by a major government advisory or major vendor report naming both Scattered Spider and Quick Assist together explicitly, but given the documented TTP overlap it is considered a credible and active risk.

SIM Swap (alternative initial access)

Where help desk or Teams access fails, SIM swapping with mobile carriers to take over phone numbers used for SMS-based MFA. Enables account takeover without company interaction.

Identity Provider Compromise

Target Okta, Azure AD, or similar IdP systems to establish persistent access and create new admin accounts. Broad access to SSO-integrated systems immediately follows.

Third-Party Vendor Pivot

Leverage vendor or contractor access as an alternative entry point when direct employee impersonation is unsuccessful. Third parties often have less rigorous verification procedures.

Data Exfiltration & Credential Theft

Systematic collection of sensitive data — customer records, financial data, internal communications — for double-extortion leverage before ransomware deployment. In Quick Assist-based intrusions attributed to Storm-1811 and STAC5777 (confirmed by Sophos), attackers specifically targeted VPN configuration files, RDP credential files, and domain credentials to support lateral movement. This post-access credential targeting behavior is consistent with Scattered Spider's broader pattern of cloud identity and SSO exploitation, and represents a particular concern in critical infrastructure environments where VPN material may provide pathways toward OT-adjacent systems.

Ransomware Deployment (DragonForce)

Final-stage encryption using DragonForce ransomware (2025 campaigns) or BlackCat/ALPHV (2023). Ransom demand combined with threat to publish exfiltrated data.

Target Profile

Scattered Spider targets large consumer-facing organizations with complex IT environments, high-volume call centers, and significant vendor ecosystems — all of which create more attack surface for social engineering. As of July 2025, the group's scope has formally expanded to critical infrastructure sectors, confirmed by a joint FBI/CISA/RCMP/ASD/AFP advisory.

Critical infrastructure and energy: Confirmed as an active targeting category in the July 29, 2025 multi-agency advisory. Energy and utilities organizations are particularly exposed due to outsourced IT and OT support contracts, where employees are conditioned to receive help desk calls from external accounts — exactly the scenario the Teams-based vishing technique exploits. Ransomware attacks against the energy and utilities sector surged 80% year-over-year in 2025, and successful credential compromise in these environments creates potential pathways from IT networks into operational technology systems.
Hospitality and casinos: MGM Resorts, Caesars Entertainment. Large organizations with many employees and complex vendor relationships. High ransom capacity. Demonstrated willingness to pay.
Retail: Marks & Spencer (UK), Co-op, Currys, Hamleys in the 2025 campaign. The UK Category 2 retail incident caused an estimated £270–440 million in damages across just two companies.
Insurance: Multiple unnamed insurers disrupted in the 2025 campaign, forcing claims processing offline for extended periods. Google GTIG confirmed a pivot toward major insurance companies in mid-2025 following the retail campaign.
Airlines and transportation: Airport check-in systems disrupted across three continents in the 2025 campaign — notable for targeting operational technology beyond traditional IT systems. Hawaiian Airlines and WestJet confirmed as 2025 targets.
Technology companies: Twilio, Okta, Mailchimp, Cloudflare targeted in the 0ktapus SMS phishing campaign (2022). Access to identity providers creates downstream risk for hundreds of organizations simultaneously.

Tactics, Techniques & Procedures

mitre id	technique	description
T1566.004	Spear-phishing via Voice	Primary initial access vector. Native English-speaking callers impersonate employees to IT help desks, requesting MFA resets or credential changes. Highly convincing due to pre-researched personal details.
T1566.004 (variant)	IT Helpdesk Impersonation via Microsoft Teams	Attacker registers an external Microsoft 365 tenant and places Teams voice or video calls to target employees posing as IT helpdesk or "Help Desk Manager." Exploits the default Teams configuration permitting external domain users to initiate calls with internal users — no prior compromise required. Typically preceded by email bombing to manufacture urgency and give the call a plausible pretext. Confirmed for Scattered Spider by MITRE ATT&CK (G1015) and MOXFIVE. Firmly confirmed for closely affiliated actors Storm-1811 (Microsoft, May 2024) and STAC5777 (Sophos, January 2025), which share near-identical social engineering mechanics.
T1219 (variant)	Remote Access via Quick Assist	In the Teams-based variant, victim is guided through launching Windows Quick Assist and granting full remote control. Subsequent hands-on-keyboard activity includes steering the user to a spoofed credential-harvesting page, DLL sideloading via trusted Windows mechanisms, encrypted loader deployment, and C2 via proxy infrastructure. Payload staging uses Microsoft Azure Blob Storage subdomains and SharePoint links to evade network monitoring. Firmly confirmed for Storm-1811 (Microsoft) and STAC5777 (Sophos). MOXFIVE reports adoption by Scattered Spider; not yet independently corroborated by a major government advisory naming Scattered Spider and Quick Assist together, but assessed as a credible active risk given documented TTP overlap between these actor clusters.
T1586.002	Compromise Accounts (Phone)	SIM swapping — convincing mobile carriers to transfer target phone numbers, enabling interception of SMS MFA codes without direct company contact.
T1556	Modify Authentication Process	Once inside identity providers (Okta, Azure AD), registers new MFA devices to maintain persistent access that survives password resets.
T1199	Trusted Relationship	Exploitation of managed service provider and vendor access relationships where verification procedures are less rigorous than direct employee processes.
T1078.004	Cloud Accounts	Targets cloud identity and SSO systems (Okta, Entra ID) for broad access across all integrated applications rather than targeting individual systems.
T1486	Data Encrypted for Impact	Final stage deployment of DragonForce (2025) or BlackCat ransomware after data exfiltration. Encryption is the culmination of a patient multi-stage campaign rather than the initial objective.
T1219	Remote Access Software	Installs legitimate RMM tools (AnyDesk, ConnectWise) for persistent access that blends with normal IT operations and is harder to detect than custom backdoors.

Known Campaigns

Critical Infrastructure Targeting — FBI/CISA AdvisoryJune–July 2025

A joint advisory published July 29, 2025 by the FBI, CISA, RCMP, ASD's Australian Cyber Security Centre, AFP, and the UK NCSC confirmed Scattered Spider was actively targeting commercial facilities and critical infrastructure sectors as recently as June 2025. The advisory documented new tactics including more sophisticated social engineering techniques and additional malware and ransomware variants. VMware ESXi hypervisors and vSphere environments were specifically identified as compromise targets — a meaningful escalation from pure IT-layer attacks toward virtualization infrastructure. The DragonForce ransomware variant associated with the group's 2025 retail campaigns was confirmed as the current primary payload. The advisory represents the most significant formal attribution of critical infrastructure targeting to date.

2025 UK Retail & Services CampaignApril–July 2025

A 90-day campaign that hit Marks & Spencer, Co-op, Currys, multiple UK insurers, and airlines across three continents. UK investigators classified it a "Category 2 systemic event." Estimated financial impact of £270–440 million across just two retail victims. DragonForce ransomware deployed as final payload. The campaign demonstrated a deliberate escalation from U.S.-focused hospitality targets to UK critical consumer infrastructure.

Read NoHacky briefing

MGM Resorts BreachSeptember 2023

A single ten-minute LinkedIn-researched phone call to MGM's IT help desk gave Scattered Spider full network access. Slot machines went offline across properties. The breach disrupted hotel operations for over a week. Financial impact: more than $100 million. MGM declined to pay the ransom. BlackCat/ALPHV ransomware deployed.

Caesars Entertainment RansomSeptember 2023

Breached via a third-party IT vendor using the same social engineering playbook deployed against MGM. Caesars paid approximately $15 million — roughly half the originally demanded ransom — to prevent disclosure of stolen loyalty program data. The breach was disclosed only after the payment, raising governance questions about ransomware disclosure obligations.

0ktapus — SMS Phishing Campaign2022

Mass SMS phishing campaign targeting Twilio, Okta, Mailchimp, Cloudflare, and 130+ other technology companies. Harvested over 9,900 credentials from Okta customers by phishing identity provider login pages. The campaign established the group's signature playbook of targeting identity infrastructure for downstream access to hundreds of organizations simultaneously.

Tools & Malware

DragonForce ransomware: The primary ransomware payload in 2025 campaigns. Sourced from the DragonForce RaaS cartel. Cross-platform, capable of encrypting Windows and Linux/VMware ESXi environments simultaneously.
BlackCat/ALPHV: Ransomware used in the 2023 MGM campaign. Rust-based, cross-platform, triple extortion model.
Windows Quick Assist (affiliated actors confirmed; Scattered Spider reported): A remote assistance utility built into Windows that requires no installation and presents no inherent security warnings. Firmly confirmed as the initial remote access mechanism in Teams-based intrusions attributed to Storm-1811 (Microsoft, May 2024) and STAC5777 (Sophos, January 2025). MOXFIVE reports the technique has since been adopted by Scattered Spider following its documented effectiveness in Black Basta-linked campaigns in late 2024. This specific attribution to Scattered Spider is not yet corroborated by a major government or independent vendor advisory; however, given the demonstrated TTP overlap between Scattered Spider and these affiliated actors, defenders should treat Quick Assist as a risk tool in any environment where this actor cluster is a concern. Organizations not actively using Quick Assist should disable it via Intune or Group Policy.
DarkGate / BackConnect (confirmed for affiliated actors): Malware deployed post-access in Storm-1811 and STAC5777 intrusions. BackConnect — confirmed by Trend Micro and Sophos in Black Basta/Cactus campaigns — provides persistent remote command execution and credential theft. DarkGate observed as a follow-on payload after Teams-based initial access in incidents from late 2024 onward. Both tools are associated with the same Black Basta-adjacent ecosystem Scattered Spider overlaps with through shared ransomware affiliate relationships.
AnyDesk / ConnectWise / TeamViewer: Legitimate remote management tools deployed for persistent access. Use of legitimate software makes detection significantly harder than custom backdoors.
Mimikatz: Credential harvesting for lateral movement after initial access via social engineering.
Azure AD and Okta exploitation: Native cloud identity platform tools abused to register new MFA devices, create admin accounts, and maintain persistence across password resets.

Mitigation & Defense

Callback verification for MFA resets: Implement mandatory out-of-band callback verification to a known number before completing any MFA reset or account recovery. This single control directly breaks Scattered Spider's primary attack vector.
Phishing-resistant MFA: Replace SMS and voice-call MFA with FIDO2/hardware keys or passkeys. SIM swapping is useless against hardware-bound credentials.
Help desk security training: Train help desk staff specifically on social engineering red flags — urgency, pressure, requests that bypass normal procedures. Run regular vishing simulation exercises.
Identity provider monitoring: Alert on new MFA device registrations, new admin account creation, and bulk permission changes in Okta, Entra ID, and similar platforms. These are reliable indicators of Scattered Spider activity post-compromise.
Restrict Microsoft Teams external access: In Microsoft 365 admin settings, restrict inbound Teams calls and messages to trusted external domains only, or disable external communication entirely if not operationally required. The default configuration allowing any external M365 tenant to initiate calls with internal users is the direct enabler of the Teams-based vishing variant.
Disable or restrict Quick Assist: If Quick Assist is not used by your IT support team, disable it via Microsoft Intune or Group Policy. Where remote support tools are required, replace Quick Assist with a managed solution that enforces authenticated sessions — Microsoft's Remote Help (part of the Intune Suite) provides auditable, authenticated connections. Alert on Quick Assist execution where it remains permitted.
Vendor access hardening: Apply the same verification standards to vendor and MSP access requests as to internal employees. Scattered Spider actively exploits the lower scrutiny applied to third-party callers. Employees at organizations with outsourced IT should be explicitly trained that external Teams calls from "helpdesk" accounts are not automatically legitimate.
RMM tool monitoring: Maintain an allowlist of approved remote management tools. Alert on installation of any non-approved RMM software — Scattered Spider installs legitimate tools specifically to blend in.
Privileged access workstations: Require PAW-based access for identity provider administration. Reduces blast radius if help desk credentials are compromised.
Energy and OT-adjacent organizations: Treat any remote access request that arrives via Teams — from internal or external accounts — as requiring out-of-band verification before granting. Assume that credential or VPN material harvested from an IT endpoint could be used to pivot toward OT-adjacent systems. Network segmentation between IT and OT environments is the primary architectural control limiting downstream impact from an IT-layer compromise.

analyst note

Several Scattered Spider members have been arrested in the U.S. and UK as of 2024–2025, but arrests have not disrupted operations — Mandiant noted a measurable pause in directly attributable UNC3944 intrusions following July 2025 UK arrests, but activity continued through affiliated and overlapping clusters. "The Com" community continues to recruit and the playbook is openly shared. The Teams-based IT helpdesk impersonation technique is documented across multiple financially motivated groups — Storm-1811, STAC5777, Sangria Tempest, and others — that share social engineering DNA with Scattered Spider, operate the same external M365 tenant approach, and in some cases share ransomware affiliate relationships (Black Basta, Cactus, DragonForce). Whether an intrusion is labeled "Scattered Spider" or one of these affiliated clusters is partly a tracking artifact: defenders should treat this as a single threat ecosystem rather than discrete groups with firm operational boundaries. Organizations in all named target sectors, including critical infrastructure and energy, should assume this playbook is actively in use.

Sources & Further Reading

— end of profile