Scattered Spider identity tradecraft is a governance problem, not a phishing one

At a glance

What this is: This is Hydden’s analysis of Scattered Spider’s identity-centric tradecraft and how the group turns human, cloud, and privileged identities into an extortion path.

Why it matters: It matters because the same identity weaknesses that enable human account takeover also expose NHI, PAM, and federation controls, so IAM teams need one defensive model across all three.

By the numbers:

• The FBI has indicated the group has upwards of 1,000 members.
• Members average between 13-25 years of age.
• Hydden observed consistent activity from December of 2023 through November of 2024.

👉 Read Hydden’s analysis of Scattered Spider’s identity-centric attack tradecraft

Context

Scattered Spider is a threat group that turns identity compromise into the main attack path, using phishing, vishing, MFA abuse, and token theft to reach cloud apps, help desks, and privileged systems. For IAM teams, the important point is not the social engineering itself, but the fact that identity controls are the control plane the attackers repeatedly exploit.

Hydden’s account shows a collective that adapts quickly, targets people with access, and then uses those identities to widen access across connected systems. That makes this a governance problem across human identity, privileged access, and non-human identity controls rather than a single phishing problem.

The article’s typical starting position is common for modern intrusion chains: a weak identity check opens the door, and identity sprawl does the rest.

Key questions

Q: How should security teams reduce the risk of Scattered Spider-style identity compromise?

A: Security teams should harden recovery, enrollment, and privileged access workflows rather than only focusing on login protection. That means stronger identity proofing, tighter MFA enrolment controls, short-lived access where possible, and continuous monitoring of federation, PAM, and secret stores. The goal is to make replayed identity material less useful after initial compromise.

Q: Why do MFA and SSO controls still fail against identity-focused intrusions?

A: MFA and SSO fail when attackers steal the factors, enroll their own devices, or replay already satisfied claims. The problem is not that the controls do nothing, but that they can be converted into valid sessions by an attacker who controls the recovery path or the token lifecycle. Governance must cover the trust chain, not just the prompt for credentials.

Q: What do organisations get wrong about internal credential exposure?

A: Many organisations treat internal credentials in chat tools, repositories, and documentation as low-risk because they are not public. In practice, once one identity is compromised, those locations become a fast way to expand access. The mistake is assuming exposure is only external when the real issue is how quickly an attacker can search the internal estate.

Q: Who is accountable when identity recovery is abused in a breach?

A: Accountability usually spans IAM operations, help desk teams, privileged access owners, and security monitoring functions because the attack path crosses all of them. If identity recovery can be abused to restore access without strong proof, the organisation has a governance gap, not just a user problem. Access assurance must be owned across the full lifecycle.

Technical breakdown

Phishing kits, copycat IdP pages, and credential replay

Scattered Spider’s initial access often begins with copycat identity provider pages, SMS lures, and voice-based social engineering that push victims to enter credentials and MFA codes. The key technical detail is live credential capture, not just credential theft. Attackers replay the credentials in the legitimate sign-in flow, which defeats simple phishing detection because the login is structurally valid. The use of AnyDesk in some variants shows the kit was built for flexible intrusion, not only one channel. This is why identity proofing and session trust need to be treated as part of the attack surface, not just the login page.

Practical implication: strengthen identity verification at help desk and sign-in recovery points, where replayed credentials become operational access.

MFA theft, device abuse, and claims replay

The group’s MFA bypass methods include direct code capture, SIM swapping, push fatigue, device enrollment abuse, and replaying tokens with satisfied claims. Technically, this means the attacker is not always defeating MFA cryptographically, but defeating the trust workflow around MFA. If a session token or claim is already satisfied, many downstream services will accept it until revocation or reauthentication occurs. That makes mobile device control, authenticator enrollment, and token lifecycle governance part of the authentication boundary. In practice, the attack lives in the gap between proof of identity and proof of continued legitimacy.

Practical implication: treat MFA enrollment, token reuse, and device registration as high-risk events requiring monitoring and fast revocation paths.

Identity provider abuse, credential harvesting, and privilege escalation

Once inside, Scattered Spider searches Slack, documentation repositories, secret stores, PAM systems, and cloud tools for additional credentials. That behaviour turns identity platforms into both a persistence layer and a reconnaissance source. The group has also used federated identity provider abuse and delegated authentication to extend access across connected applications. From a technical standpoint, the intrusion grows by chaining legitimate access paths together until one high-value identity or security tool yields broader authority. This is why visibility into role changes, service access, and admin actions matters as much as endpoint detection.

Practical implication: monitor identity stores, PAM events, and federation changes as active attack surfaces, not administrative background noise.

Threat narrative

Attacker objective: The objective is to convert identity access into rapid extortion leverage by stealing sensitive data and, when needed, using the same access to expand into privileged systems.

1. Entry begins with SMS phishing, vishing, or a copycat IdP page that captures valid credentials and MFA codes from a targeted user.
2. Escalation follows when the attackers replay those credentials, harvest additional secrets from collaboration tools or PAM systems, and abuse federation or cloud tokens to widen access.
3. Impact occurs when the group reaches privileged systems or sensitive data and moves quickly to exfiltration, extortion, or destructive actions before detection closes the window.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity compromise is the group’s primary control plane, not a side effect of the intrusion. Scattered Spider succeeds by turning authentication, recovery, and privilege workflows into attack paths. The group’s mix of phishing, vishing, token theft, and IdP abuse shows that once identity is weak, the rest of the environment becomes reachable through normal admin logic. Practitioners should read this as a governance failure across access assurance, not a collection of isolated incidents.

Help desk trust assumptions fail when the attacker can sound legitimate, not just look legitimate. The use of voice phishing and AI-assisted impersonation means support workflows that rely on confidence, urgency, or knowledge-based checks are structurally weak. This is a human IAM failure mode with direct downstream effects on SSO, MFA, and account recovery. The implication is that identity assurance must be evidence-based, not conversational.

Credential harvesting after initial access is the real acceleration point. Slack, documentation repositories, secret managers, and PAM systems all become attacker search space once one identity is compromised. That is why this campaign is also an NHI governance story: service credentials, tokens, and privileged access objects are part of the same blast radius. Teams should treat internal credential sprawl as a shared exposure surface across human and non-human identity.

Standing privilege and weak federation visibility make rapid lateral movement predictable. Once a replayed credential is accepted, the attacker often moves faster than review cycles, recertification, or manual containment can react. This is where access governance, federation governance, and privileged access monitoring intersect. The practical conclusion is that identity telemetry has to be fast enough to catch action, not merely record it.

Human-paced verification was designed for people who ask for access, not adversaries who industrialise identity recovery. That assumption fails when the threat actor continuously chains social engineering, replay, and token abuse across the same session window. The implication is not simply tighter controls, but a rethinking of which identity processes still assume stable, reviewable, human-paced access behaviour.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• If you are mapping this identity attack surface, start with Ultimate Guide to NHIs , Key Challenges and Risks to connect the exposure pattern to lifecycle controls.

What this signals

Identity recovery has become a frontline intrusion path. When an attacker can reset passwords, re-enrol devices, or replay satisfied claims, the most critical control is no longer login strength but the integrity of the recovery workflow. Teams should map where support processes can create a new trusted session without sufficient proof, then close those paths before the next social engineering wave.

Secret discovery inside collaboration systems is a governance issue, not a hygiene issue. Exposed credentials in chat tools, ticketing systems, and code repositories are especially dangerous because attackers use them to expand laterally after the first account is taken. The operational response is to pair discovery with policy enforcement, using continuous scanning and removal as part of normal identity operations.

With only 5.7% of organisations having full visibility into their service accounts, the same blind spots that weaken NHI governance also make it harder to spot attacker movement once human identity compromise begins. The programme signal is clear: identity telemetry has to cover humans, service accounts, and federated access in one control view.

For practitioners

• Harden help desk identity proofing Replace knowledge-based recovery checks with stronger verification for password resets, MFA resets, and device re-enrolment. Escalate high-risk recovery requests through video verification or equivalent controls before access is restored.
• Monitor for credential harvesting inside collaboration tools Search Slack, documentation platforms, code repositories, and ticketing systems for secrets, recovery data, and privileged account references. Remove exposed credentials and implement controls that prevent future storage in those locations.
• Track federation and PAM changes as attack signals Alert on new device enrolment, MFA policy changes, delegated authentication updates, role membership changes, and unusual privileged actions in PAM and cloud identity systems. Treat these events as active intrusion indicators, not routine administration.
• Reduce attack value in exposed credentials Apply least privilege and just-in-time access to programmatic and user-facing accounts that can reach sensitive systems. Revocation speed matters because replayed credentials are only dangerous while they remain valid.

Key takeaways

• Scattered Spider shows that identity compromise is often the fastest route from initial access to extortion because verification, recovery, and privilege workflows are easier to abuse than core infrastructure.
• The group’s tradecraft spans human identity, privileged access, and non-human credentials, which means fragmented IAM ownership leaves attackers room to move across the estate.
• Teams that want to reduce this threat need stronger proofing, faster credential invalidation, and tighter visibility into federation and secret stores, not just better phishing awareness.

Key terms

• Identity provider abuse: Identity provider abuse is when an attacker uses legitimate identity infrastructure, such as SSO, federation, or delegated authentication, to extend access after initial compromise. The abuse is dangerous because it turns trusted login plumbing into a persistence and lateral movement layer rather than a simple authentication service.
• MFA replay: MFA replay is the reuse of a valid multi-factor authentication result, code, or token after it has already been captured from the user or device. It matters because the attacker does not need to defeat the factor again if the session or claim can be reused before revocation.
• Credential harvesting: Credential harvesting is the deliberate search for secrets, tokens, passwords, and other access material after an attacker has gained a foothold. In identity-heavy intrusions, it turns chat tools, repositories, support systems, and secret stores into the next stage of the breach.
• Privileged access management: Privileged access management is the set of controls that govern how high-risk access is requested, issued, monitored, and revoked. For this kind of attack, PAM is valuable only if it can resist social engineering, detect abuse fast, and avoid becoming another credential source.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Hydden: Scattered Spider identity tradecraft and attack vectors. Read the original.