Scattered Spider shows why identity attacks still beat controls

At a glance

What this is: This is an analysis of Scattered Spider tradecraft and the identity-based attack patterns that keep producing account takeover, data theft, and ransomware impact.

Why it matters: It matters because IAM, PAM, and NHI programmes all fail when help desk workflows, MFA reset paths, and session controls can be socially engineered or bypassed.

By the numbers:

• M&S suffered £300m in lost profits and a share value hit approaching £1b after the 2025 attacks.
• The MGM Resorts attack led to a 36-hour outage, a $100m hit, and a class-action lawsuit settled for $45m.

👉 Read Push Security's analysis of Scattered Spider identity attack tactics

Context

Scattered Spider is best understood as an identity attack pattern, not just a named gang. The recurring problem is that organisations still treat help desk resets, MFA recovery, and user verification as administrative tasks, even though those workflows now sit directly on the path to account takeover.

For IAM and PAM teams, the gap is structural: if a help desk can be socially engineered into resetting a privileged account, the organisation has already lost control of the trust boundary. Browser-based session theft, outsourced support, and cloud SaaS visibility gaps make that boundary wider, not narrower.

Key questions

Q: How should security teams stop help desk scams from becoming account takeovers?

A: Treat high-risk support actions as privileged operations, not routine service requests. Use phishing-resistant verification, separate approval paths for privileged accounts, and callback or device-possession checks before any MFA reset or credential change. If the caller can socially engineer the workflow, the workflow is already the exploit path.

Q: Why do identity-based attacks bypass so many traditional controls?

A: They attack the trust process rather than the endpoint. Once an attacker convinces support staff to reset access or steals a live session, many controls see a legitimate event instead of a hostile one. That is why identity proofing, session telemetry, and privileged access boundaries now matter as much as malware detection.

Q: What breaks when an attacker steals a browser session instead of a password?

A: Password resets and MFA checks may never fire, because the attacker is already inside an authenticated session. That means cloud and SaaS activity can look normal while the attacker exfiltrates data or changes settings. Teams need controls that monitor token reuse, browser anomalies, and session-level privilege.

Q: Who is accountable when help desk identity verification fails?

A: Accountability sits with both identity governance and support operations, because the reset process is part of the access control plane. Security teams should define which resets require stronger proof, which managers can approve exceptions, and which accounts are too sensitive for generic support handling. Governance must be explicit before the next impersonation attempt.

Technical breakdown

Help desk impersonation and MFA reset abuse

The attack starts with identity proofing failure. Scattered Spider routinely uses vishing, smishing, or LinkedIn reconnaissance to impersonate an employee and convince support staff to reset credentials or re-enrol MFA. The weak point is not the reset function itself but the assumption that the caller is genuine. Once the attacker gets a fresh factor or password reset, the account takeover is immediate and often indistinguishable from a legitimate recovery event. Practical implication: move high-risk support actions behind phishing-resistant verification and separate approval paths for privileged accounts.

Practical implication: move high-risk support actions behind phishing-resistant verification and separate approval paths for privileged accounts.

Session hijacking and cloud access after initial compromise

After account takeover, attackers increasingly aim for live sessions rather than passwords. AiTM phishing kits, stolen session tokens, and browser-based interception let them reuse authenticated access without triggering the same controls that protect logins. In cloud and SaaS environments, this matters because activity can blend into normal admin behaviour and logs are often fragmented across services. Practical implication: treat authenticated sessions as first-class credentials and add controls that detect token reuse, anomalous browser activity, and impossible travel in cloud access paths.

Practical implication: treat authenticated sessions as first-class credentials and add controls that detect token reuse, anomalous browser activity, and impossible travel in cloud access paths.

Why ransomware and data theft follow identity compromise so quickly

Identity compromise compresses the entire kill chain. Once attackers control an account with broad entitlements, they can move straight to cloud data harvesting, SaaS exfiltration, or VMware admin access without the noisy privilege escalation steps that endpoint-focused defences expect. That is why the same playbook can end in data theft, service disruption, or ransomware deployment depending on the target environment. Practical implication: map privileged identity paths into cloud, SaaS, and virtualisation layers, not just into endpoint tooling.

Practical implication: map privileged identity paths into cloud, SaaS, and virtualisation layers, not just into endpoint tooling.

Threat narrative

Attacker objective: The objective is to turn one socially engineered identity event into broad access that enables theft, disruption, or extortion.

1. Entry begins with vishing, smishing, or help desk impersonation that convinces support staff to reset credentials or MFA for a targeted employee.
2. Escalation follows when the attacker uses the newly issued access to hijack a privileged account, steal a live session token, or pivot into cloud and SaaS services.
3. Impact comes through data theft, cloud log tampering, business disruption, or ransomware deployment in environments such as VMware infrastructure.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity-based attack paths are now the default failure mode for enterprise access control. Scattered Spider demonstrates that the most reliable route into modern environments is no longer software exploitation but manipulation of the identity workflow itself. Help desk reset paths, MFA recovery, and browser sessions are now part of the attack surface. Organisations that still separate identity governance from incident response are treating the wrong layer as primary, and practitioners should recast identity process integrity as core security infrastructure.

Help desk trust was designed for human-paced verification, and that assumption is brittle under organised social engineering. The process assumes the caller can be challenged, slowed, and authenticated before action is taken. That assumption fails when attackers pre-stage convincing context and target teams measured on speed, not certainty. The implication is that support operations need to be governed as privileged access paths, not as customer service workflows.

Session hijacking turns identity compromise into a control bypass, not just an account problem. Once a live browser session is stolen, many downstream controls never see a fresh login event to challenge. This is why browser-layer identity security and cloud session telemetry matter as much as password policy. The practitioner conclusion is that authenticated access must be monitored as an active object, not a one-time event.

Standing administrative privilege makes identity compromise convert to impact too quickly. The article repeatedly shows that attackers select accounts likely to already carry broad access, which removes the usual escalation steps and shortens response time. That is a governance problem, not just a detection problem. Practitioners should interpret broad default privilege as an impact accelerator across cloud, SaaS, and virtualisation domains.

Employee Identity Verification Codes expose a broader named concept: browser-mediated help desk verification. The substantive issue is not the code itself but the recognition that identity validation has moved into the browser and must be available at the point of support interaction. That is a useful signal for the market, because identity proofing is shifting away from knowledge-based questions and toward live possession checks. Teams should treat browser-mediated verification as an access control pattern, not a convenience feature.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and a further 47% reporting only partial visibility, according to The State of Non-Human Identity Security.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
• If you are rebuilding support and access workflows, start with 52 NHI Breaches Analysis to see how identity failures become operational incidents.

What this signals

Browser-mediated identity control is becoming a frontline security requirement. As attackers move from passwords to sessions, teams need to monitor authenticated activity with the same seriousness they once reserved for login events. The practical shift is toward stronger device possession checks, session telemetry, and privileged support workflows that can survive social engineering.

Support operations should be treated as part of the access control plane. Once a help desk can reset privileged access through generic scripts, the organisation has turned service delivery into an escalation path. Security teams should prepare for tighter assurance in outsourced support, because the next wave of attacks will keep targeting the least scrutinised identity workflows.

With 1 in 4 organisations already investing in dedicated NHI security capabilities and another 60% planning to do so within twelve months, the boundary between human IAM and machine access governance is narrowing fast. Teams should expect identity verification, session control, and lifecycle governance to converge rather than remain separate programmes.

For practitioners

• Harden help desk reset workflows Require phishing-resistant verification for password resets, MFA re-enrolment, and device changes on privileged accounts. Separate ordinary service requests from high-risk account recovery so a caller cannot trigger the same process for every identity type.
• Treat browser sessions as credentials Instrument session reuse, token replay, and suspicious browser behaviour across SaaS and cloud platforms. If the session is the real control point, then log review must include authenticated activity, not just login success.
• Reduce standing privilege before an incident tests it Review admin entitlements that let a compromised user reach cloud data stores, directory tools, or virtualization layers without additional approval. Prioritise accounts whose access would let an attacker skip escalation and go straight to impact.
• Rebuild outsourced support assurance If the help desk is external or remote, require a stronger call-back or device-possession step before any sensitive reset. Outsourced teams should not rely on the same scripts used for routine user support.

Key takeaways

• Identity-based attack chains now work because organisations still over-trust support workflows, sessions, and recovery paths.
• The scale is operational, not theoretical: recent Scattered Spider-linked incidents produced multimillion-pound losses, outages, and forced re-verification at massive user volumes.
• Support verification, session-level monitoring, and privilege reduction are the controls most likely to interrupt this attack pattern before it becomes extortion or ransomware.

Key terms

• Help Desk Impersonation: A social engineering technique where an attacker pretends to be a legitimate employee or contractor to get support staff to reset credentials or MFA. In identity governance terms, it is a failure of recovery assurance, because the access workflow is trusted more than the caller's proof of identity.
• Session Hijacking: The theft or reuse of an authenticated browser session so the attacker can act as the user without performing a fresh login. For identity programmes, sessions must be treated as active credentials, because once stolen they can bypass password and MFA controls that only protect authentication.
• Standing Privilege: Persistent elevated access that remains available whether or not it is actively needed. In practice, it shortens the path from compromise to impact, because an attacker who captures the account can often move directly into sensitive systems without additional approval or escalation.
• Browser-Mediated Verification: A verification pattern that uses the user's browser or device context to confirm possession before a sensitive support action is taken. It matters because modern identity attacks often happen at the browser layer, where standard help desk questions are too weak to resist impersonation.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Push Security: Scattered Spider continues to dominate the headlines, with the latest news linking the hackers to multiple major breaches. Read the original.