Scattered Spider shows why legacy MFA is failing enterprise identity

At a glance

What this is: This is an analysis of the MGM and Caesars breaches and the wider Scattered Spider pattern, showing how social engineering and MFA bypass can still defeat identity controls.

Why it matters: It matters because IAM teams have to assume attackers will target identity workflows, outsourced support, and recovery paths, not just passwords and endpoints.

By the numbers:

• Reuters reports the group has been implicated in 52 attacks spanning multiple industries worldwide since 2022.
• According to Verizon's 2023 Data Breach Investigations Report, 74% of breaches stem from credentials stolen through phishing, vishing, and SIM-swapping attacks.
• 44%, uccessful data breach can erode customer trust by as much as 44%, according to Google and Ipsos.

👉 Read 1Kosmos's analysis of the MGM and Caesars identity breach pattern

Context

Scattered Spider-style intrusions show a basic identity governance failure: organisations still treat authentication as a login problem instead of a lifecycle and support problem. Once attackers can impersonate a user through social engineering, they can pivot into support processes, privileged account registration, and identity provider abuse.

The article's core point is that legacy MFA often protects the initial sign-in but not the surrounding identity workflow. That leaves outsourced help desks, alternate identity providers, and administrative recovery paths exposed, which is why identity security for human users still has to be designed as a control plane, not a front-door check.

Key questions

Q: How should security teams stop help-desk social engineering from becoming account takeover?

A: Security teams should treat the help desk as part of the identity control plane. That means step-up verification for recovery actions, segregation of duties for privileged resets, and approval paths that cannot be satisfied by a single phone call or email request. The goal is to make impersonation expensive before any account state changes occur.

Q: Why do legacy MFA controls fail against support-led attacks?

A: Legacy MFA often protects the sign-in moment, but support-led attacks target the recovery and registration workflow instead. If an attacker can reset a factor, register a new device, or introduce an alternate identity provider, MFA becomes a gate they can route around. The failure is architectural, not just procedural.

Q: What breaks when identity provider governance is too loose?

A: When identity provider governance is weak, a single privileged change can create a new trusted path that bypasses the original authentication design. That breaks the assumption that all privileged access still flows through the same control boundary. Organisations then lose both assurance and visibility over who is truly authorised.

Q: How should organisations respond when identity compromise reaches privileged systems?

A: Organisations should contain identity compromise as a production incident, not just an IAM event. That means isolating affected identity paths, revoking suspicious trust relationships, validating provider configurations, and checking downstream systems that rely on the same authentication plane. Identity teams and operations teams need to work from the same containment plan.

Technical breakdown

How social engineering becomes identity compromise

The attack begins when a threat actor collects public profile data, then uses it to impersonate an employee in a support interaction. In these cases, the attacker is not defeating cryptography first. They are abusing trust in the help desk, the outsourced support vendor, and the recovery workflow. Once a support agent believes the caller is genuine, the attacker can trigger credential reset, account recovery, or privileged access changes that bypass normal authentication friction. The real weakness is not the password alone, but the operational identity process that accepts social proof as evidence of identity.

Practical implication: tighten help-desk verification before any credential reset or account recovery action is allowed.

Why MFA can be bypassed after initial access

Traditional MFA often assumes the problem ends after the user proves they control a password and device. In practice, an administrator with enough access can register a new authenticator, alter the trusted device, or introduce another identity provider if the control boundary is weak. That means MFA can still be technically present while governance is effectively broken. The issue is not whether MFA exists, but whether the system treats privileged registration actions as separate, heavily governed events. If it does not, the attacker can short-circuit the control and persist through a new trusted path.

Practical implication: require separate governance for MFA registration, reset, and provider changes, especially for privileged users.

How privileged identity paths turn compromise into outage

Once attackers reach super-administrator access, the incident stops being a single account compromise and becomes a control-plane event. The article shows how identity provider manipulation can be used to impersonate privileged users and then support ransomware deployment across email, booking, and physical access systems. That is why identity compromise now creates business interruption, not just data exposure. When identity infrastructure is the route into operational systems, a compromise in authentication or federation can disable service delivery at scale.

Practical implication: treat privileged identity paths as production dependencies and monitor them like core infrastructure.

Threat narrative

Attacker objective: The objective is to turn a support-driven identity compromise into privileged access that can be monetised through ransomware and operational disruption.

1. Entry occurs when attackers use LinkedIn data and vishing to impersonate a resort employee and persuade outsourced support to assist with account access.
2. Credential access follows when the support interaction allows the attacker to obtain or reset access to corporate accounts and privileged identity controls.
3. Escalation occurs when the attackers gain super-administrator rights and configure a second identity provider to bypass MFA and impersonate privileged users.
4. Impact lands when ransomware is deployed into corporate and operational systems, disrupting email, reservations, hotel booking, slot machines, and keycard access.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legacy MFA failed because it was built to verify a login, not a support workflow. The MGM and Caesars cases show that identity compromise now starts before authentication, in the call centre, help desk, or outsourced support path. That means the control assumption behind MFA, that the legitimate user is the one presenting the challenge, no longer holds once attackers can socially engineer the process. Practitioners should treat support verification as part of identity architecture, not as an operational side issue.

Support-driven account recovery is now a privileged access pathway. The article demonstrates that adversaries do not need to break MFA if they can cause it to be re-enrolled, reset, or bypassed through administrative action. This is a lifecycle failure, not a point-in-time authentication failure, because the attacker abuses identity state changes that many IAM programmes still under-govern. The implication is that recovery, registration, and device trust events need the same scrutiny as primary authentication.

Identity provider sprawl creates a bypass surface that governance teams often miss. Once a second identity provider can be introduced, attackers can route around the intended trust boundary and impersonate high-value users. That is a named governance concept: federation override exposure. It describes the point where one privileged change can nullify the assumptions of the entire authentication stack. Practitioners should recognise that federation architecture is part of access control, not just infrastructure plumbing.

Physical and digital access converge after identity compromise. The disruption to hotel booking, restaurant reservations, email, slot machines, and digital keycards shows that enterprise identity is now a business continuity control as much as a security control. When access systems are federated and privileged, one compromised identity path can disable multiple operating domains at once. For IAM leaders, the lesson is to model blast radius across both IT and operational systems, not only within the directory.

Scattered Spider represents a repeatable social-engineering pattern, not an isolated casino story. The combination of public profiling, vishing, outsourced support, and privilege escalation is adaptable across sectors that rely on help desks and external service desks. That makes the threat portable, which is why organisations with mature perimeter controls can still fail if identity operations remain porous. The practitioner conclusion is straightforward: trust boundaries must be redesigned around process assurance, not user familiarity.

From our research:

• 72% of identity professionals find machine identities more challenging to manage than human identities, citing poor internal processes and insufficient tooling, according to The Critical Gaps in Machine Identity Management report.
• 59% of companies face greater difficulties auditing machine identities, primarily due to lack of clear ownership and limited visibility.
• For lifecycle and access-review context, see 52 NHI Breaches Analysis, which shows how ownership gaps and unrevoked access widen blast radius over time.

What this signals

Federation override exposure: When a privileged actor can introduce or alter identity plumbing, the authentication stack stops being a control boundary and becomes a pathway to bypass it. Identity programmes now need explicit governance over recovery, registration, and provider changes, because those are the moments attackers target when social engineering succeeds.

With 66% of identity professionals saying current tooling is not adequate to manage machine identity scale, according to The Critical Gaps in Machine Identity Management report, the wider lesson is that identity teams are already operating with visibility debt. The same pattern appears here in human identity workflows: if support paths are weakly governed, the next compromise will arrive through process, not password.

Enterprises should expect more attacks that combine public profiling, outsourced support, and privilege escalation. The defensive priority is to reduce trust in human claims alone and to validate identity state changes with stronger, separate controls across the lifecycle.

For practitioners

• Harden help-desk identity verification Require multi-step verification before password resets, authenticator changes, or account recovery actions are approved for any user with access to sensitive systems.
• Restrict privileged MFA re-enrolment Separate the authority to register a new device or authenticator from the authority to use the account, and log every privileged re-enrolment as a high-risk event.
• Review identity provider change controls Treat any addition or alteration of an identity provider as a controlled change request with security approval, break-glass review, and post-change validation.
• Map support workflows to blast radius Inventory outsourced support paths, account recovery flows, and privileged access steps to identify where a single social engineering call can reach production systems.

Key takeaways

• The breach pattern shows that identity compromise can begin in support workflows, not just at the login screen.
• Evidence from the article links social engineering to privilege escalation, MFA bypass, and operational disruption across core business systems.
• The control that matters most is governed identity state change, especially resets, re-enrolment, and provider changes for privileged users.

Key terms

• Support-led account takeover: A support-led account takeover happens when an attacker uses help-desk or service-desk processes to reset, re-enrol, or unlock access rather than breaking authentication directly. The risk sits in the identity workflow itself, where trust in human verification can override stronger technical controls.
• Federation override exposure: Federation override exposure is the condition where a privileged change to identity provider configuration creates a new trusted path around the intended authentication boundary. It matters because one administrative action can undermine the assurance model for many downstream systems at once.
• Identity state change: Identity state change is any event that alters how an account is trusted, recovered, enrolled, or authorised, such as password reset, authenticator registration, or provider reassignment. These events are security-sensitive because they can create or remove trust without changing the underlying user.
• Blast radius: Blast radius is the scope of systems, data, and operations that can be affected once an identity is compromised. In identity security, it is shaped less by the initial login control than by privilege, federation trust, recovery paths, and downstream system dependencies.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos covering the MGM and Caesars breaches: why legacy MFA is failing enterprise identity. Read the original.