Identity-based attacks are the new normal for enterprise defence

TL;DR: Scattered Spider-linked intrusions against insurance, airlines, retail, and transport targets show how help desk impersonation, MFA abuse, and session theft continue to bypass conventional controls, according to Push Security. The lesson is that identity governance now has to assume social engineering and browser-session compromise are part of the normal attack path, not edge cases.

NHIMG editorial — based on content published by Push Security: Scattered Spider continues to dominate the headlines, with the latest news linking the hackers to multiple major breaches

By the numbers:

• M&S suffered £300m in lost profits and a share value hit approaching £1b after the 2025 attacks.
• The MGM Resorts attack led to a 36-hour outage, a $100m hit, and a class-action lawsuit settled for $45m.

Questions worth separating out

Q: How should security teams stop help desk scams from becoming account takeovers?

A: Treat high-risk support actions as privileged operations, not routine service requests.

Q: Why do identity-based attacks bypass so many traditional controls?

A: They attack the trust process rather than the endpoint.

Q: What breaks when an attacker steals a browser session instead of a password?

A: Password resets and MFA checks may never fire, because the attacker is already inside an authenticated session.

Practitioner guidance

• Harden help desk reset workflows Require phishing-resistant verification for password resets, MFA re-enrolment, and device changes on privileged accounts.
• Treat browser sessions as credentials Instrument session reuse, token replay, and suspicious browser behaviour across SaaS and cloud platforms.
• Reduce standing privilege before an incident tests it Review admin entitlements that let a compromised user reach cloud data stores, directory tools, or virtualization layers without additional approval.

What's in the full article

Push Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step examples of Scattered Spider help desk social engineering patterns and the TTPs behind them
• Browser-based identity attack detection and response details for teams that need implementation guidance
• Employee Identity Verification Codes deployment specifics for organisations validating support callers
• Examples of identity vulnerabilities such as SSO gaps, MFA gaps, ghost logins, and risky OAuth integrations

👉 Read Push Security's analysis of Scattered Spider identity attack tactics →

Identity-based attacks are the new normal for enterprise defence?

Explore further

View Full Forum →  |  NHI Foundation Course →