Scattered Spider’s insurance campaign exposes identity assurance gaps

At a glance

What this is: This is HYPR’s analysis of how Scattered Spider is targeting insurers through credential theft, help desk fraud, and MFA bypass.

Why it matters: It matters because insurance firms hold high-value personal and claims data, and the same identity weaknesses that enable this campaign can also expose NHI, autonomous, and human access paths.

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read HYPR's analysis of the Scattered Spider credential attack targeting insurance

Context

Scattered Spider is using identity compromise, not malware novelty, to break into insurance environments. The attack pattern combines social engineering, help desk manipulation, and MFA bypass to obtain valid credentials, then turn those credentials into access that looks legitimate to the target systems.

For IAM teams, the important point is that this is not only a human-authentication problem. The same trust assumptions that fail for employees also affect service accounts, API keys, and other non-human identities when recovery, verification, and session controls are weak across the identity lifecycle.

Key questions

Q: How should security teams stop help desk fraud from becoming account takeover?

A: Security teams should treat the help desk as a high-risk access control point. Use deterministic identity verification for resets, require stronger approval for privileged accounts, and remove recovery methods that rely on information attackers can source from public data. If the reset path is weak, attackers will target it because it is faster than breaking the login flow.

Q: Why do legacy MFA methods fail against adversary-in-the-middle attacks?

A: Legacy MFA fails because the attacker can relay the sign-in flow in real time and steal the authenticated session, not just the password or code. Push approvals and OTPs prove that a user participated in the login, but they do not prevent a proxy from capturing the resulting session cookie and reusing it.

Q: What breaks when organisations rely on login-time trust alone?

A: Login-time trust breaks when the device or session changes after authentication. An attacker with a stolen cookie, compromised endpoint, or hijacked browser session can continue operating under a valid identity unless the programme keeps evaluating runtime risk. Continuous trust controls are what make the difference between a one-time check and ongoing assurance.

Q: Who is accountable when session hijack succeeds through identity recovery abuse?

A: Accountability sits with the identity programme, the service desk workflow owner, and the application team that accepted the session as trustworthy. Recovery, verification, and session governance are shared controls. If any one of them is weak, the attacker can convert social engineering into authenticated access without touching a traditional exploit.

Technical breakdown

How adversary-in-the-middle phishing steals live sessions

Adversary-in-the-middle, or AitM, phishing places a reverse proxy between the victim and the real login service. The user interacts with a convincing replica of the sign-in page, enters credentials, and completes MFA on the legitimate service while the attacker relays every step in real time. The critical outcome is not just password capture. The attacker steals the authenticated session cookie, which represents the browser’s approved session and often survives the point where MFA would otherwise stop reuse. This is why phishing-resistant methods matter: they reduce the value of intercepted credentials and make replay far harder.

Practical implication: replace phishable MFA paths with phishing-resistant authentication that cannot be proxied or replayed.

Why help desk resets are a credential bypass path

Help desk fraud works because many recovery processes still trust information the attacker can gather from public sources. If the service desk uses knowledge-based questions, weak identity checks, or inconsistent escalation rules, an attacker can persuade staff to reset a password or MFA device for a genuine account holder. That turns identity recovery into an access-creation channel. In this campaign, the service desk is not the control layer it is assumed to be. It becomes the way around the control layer. Stronger identity assurance needs to apply not only at sign-in but also at account recovery and device re-enrolment.

Practical implication: harden recovery workflows with deterministic identity verification before any password or MFA reset occurs.

Continuous device trust closes the gap left by user-only checks

User identity alone is not enough when the device itself may be compromised, unmanaged, or jailbroken. Continuous device trust adds real-time posture and risk signals to authentication decisions, so access can be stepped up or blocked when conditions change. This matters because modern attacks do not end at initial login. Once an attacker has a session, they can move laterally through the application stack, reuse tokens, or wait for a low-friction moment to escalate. Device trust therefore acts as a second gate, one that evaluates the endpoint continuously rather than only at first access.

Practical implication: bind authentication decisions to device posture and runtime risk signals, not just initial user verification.

Threat narrative

Attacker objective: The attacker aims to gain durable authenticated access that can be reused for data theft and broader intrusion while appearing legitimate to the target environment.

1. Entry begins with hyper-personalized social engineering or help desk fraud that convinces the target or service desk to reveal or reset access credentials.
2. Escalation occurs when the attacker uses an AitM proxy or MFA fatigue to intercept an authenticated session cookie and bypass the intended second factor.
3. Impact follows when the attacker accesses the account with valid session material, enabling data theft, internal reconnaissance, and further compromise without triggering obvious credential alarms.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legacy MFA is a trust assumption, not a guarantee of identity. Scattered Spider succeeds because push approvals, OTPs, and session handoff were built for a world where attackers did not sit in the middle of the conversation. The control fails when a proxy can relay the authentication flow in real time and capture the resulting session. Practitioners should treat phishable MFA as a transitional control, not an assurance boundary.

Identity recovery is now part of the attack surface, not a back-office process. Help desk resets can deliver the same outcome as credential theft when attackers can impersonate an employee with enough public data. That makes recovery governance a first-class control domain across human identity and, by extension, any lifecycle process that reissues access. Practitioners need to align service desk rules with identity assurance, not convenience.

Continuous device trust is the missing control plane for session-era attacks. Once a valid session is established, static login checks no longer describe real risk. Runtime posture, endpoint integrity, and behavioural signals must influence access decisions after authentication, not just before it. That shifts the programme from single-point verification to continuous assurance, which is the only defensible model against session hijacking.

Insurance targeting shows that identity compromise now scales by sector knowledge, not exploit uniqueness. Scattered Spider learns the operating language of a vertical, then uses that context to bypass process controls and human scrutiny. The implication is that IAM programmes must measure how much sector-specific trust they expose through support workflows, recovery paths, and privileged session handling.

Session theft exposes the identity assurance gap between authentication and authorisation. The governance assumption that a successfully authenticated user remains a trustworthy user for the rest of the session no longer holds. That assumption was designed for stable, human-paced access patterns. The implication is that practitioners must rethink where confidence in identity is created, consumed, and revoked across the session lifecycle.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For the governance gap behind this pattern, see 52 NHI Breaches Analysis for the breach patterns that repeat when access outlives accountability.

What this signals

Session-era attacks force IAM teams to move beyond one-time verification. When attackers can proxy a login, the control objective is no longer to prove that a password was correct. It is to keep evaluating whether the session still deserves to exist. That is where phishing-resistant authentication, device trust, and recovery governance converge in the same programme.

Identity recovery will increasingly sit inside the same control scope as privileged access. Help desk workflows, device re-enrolment, and MFA resets can no longer be treated as administrative convenience. They are effectively alternate authentication paths, and they need the same policy rigor as the primary sign-in journey. The organisations that mature fastest will measure reset abuse as a security signal, not an operations issue.

With 97% of NHIs carrying excessive privileges, the same trust problem applies to machine and agent identities. If a human account can be hijacked through recovery abuse, a long-lived service identity can be abused through the same weak governance model once access is issued. The broader programme implication is to align lifecycle controls, session monitoring, and runtime trust across human and non-human access alike.

For practitioners

• Remove phishable MFA from critical access paths Prioritise phishing-resistant methods for privileged users, support staff, and high-value applications. Eliminate OTP and push-approval fallbacks on the accounts attackers most want, because the recovery path often becomes the real attack path.
• Treat help desk recovery as a privileged workflow Require deterministic verification before password, MFA, or device reset actions. Replace knowledge-based questions with documented proofing steps, dual approval for high-risk resets, and audit trails that let you reconstruct who approved what.
• Bind access decisions to device trust signals Use managed-device status, posture, and anomaly checks to step up or block sessions when risk changes. Continuous device trust should apply after login as well as at login, especially where stolen cookies or token replay are realistic.
• Map recovery abuse into identity incident response Include social engineering, reset abuse, and session hijack scenarios in tabletop exercises. Make sure SOC, IAM, and service desk teams know how to contain a compromised identity before the attacker completes token reuse or account persistence.

Key takeaways

• Scattered Spider’s insurance campaign shows that identity compromise, not exploit complexity, is still the fastest way into mature environments.
• Help desk abuse, phishable MFA, and session theft create a compound failure that traditional login controls do not stop.
• Phishing-resistant MFA, deterministic recovery verification, and continuous device trust are the controls that change the attacker’s economics.

Key terms

• Phishing-resistant MFA: An authentication method that cannot be easily copied, proxied, or replayed by an attacker during the sign-in flow. It uses cryptographic proof tied to the device or authenticator, which makes intercepted credentials far less useful than passwords, OTPs, or push approvals.
• Adversary-in-the-middle attack: A phishing technique where the attacker sits between the user and the real service in real time. The attacker relays the login process, captures session material, and can often bypass traditional MFA by stealing the authenticated session instead of the secret itself.
• Identity verification: A process for confirming that the person requesting access is the legitimate account holder before issuing or resetting credentials. In mature programmes, it relies on deterministic checks, not questions or easily researched personal data, and it becomes part of the identity lifecycle.
• Continuous device trust: A control model that keeps evaluating the security posture and risk state of the endpoint throughout the session. It is used to detect compromised, unmanaged, or high-risk devices and to step up, limit, or block access when conditions change after authentication.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by HYPR: How The Scattered Spider Credential Attack Targets Insurance. Read the original.