TL;DR: Scattered Spider-linked intrusions against insurance, airlines, retail, and transport targets show how help desk impersonation, MFA abuse, and session theft continue to bypass conventional controls, according to Push Security. The lesson is that identity governance now has to assume social engineering and browser-session compromise are part of the normal attack path, not edge cases.
NHIMG editorial — based on content published by Push Security: Scattered Spider continues to dominate the headlines, with the latest news linking the hackers to multiple major breaches
By the numbers:
- M&S suffered £300m in lost profits and a share value hit approaching £1b after the 2025 attacks.
- The MGM Resorts attack led to a 36-hour outage, a $100m hit, and a class-action lawsuit settled for $45m.
Questions worth separating out
Q: How should security teams stop help desk scams from becoming account takeovers?
A: Treat high-risk support actions as privileged operations, not routine service requests.
Q: Why do identity-based attacks bypass so many traditional controls?
A: They attack the trust process rather than the endpoint.
Q: What breaks when an attacker steals a browser session instead of a password?
A: Password resets and MFA checks may never fire, because the attacker is already inside an authenticated session.
Practitioner guidance
- Harden help desk reset workflows Require phishing-resistant verification for password resets, MFA re-enrolment, and device changes on privileged accounts.
- Treat browser sessions as credentials Instrument session reuse, token replay, and suspicious browser behaviour across SaaS and cloud platforms.
- Reduce standing privilege before an incident tests it Review admin entitlements that let a compromised user reach cloud data stores, directory tools, or virtualization layers without additional approval.
What's in the full article
Push Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of Scattered Spider help desk social engineering patterns and the TTPs behind them
- Browser-based identity attack detection and response details for teams that need implementation guidance
- Employee Identity Verification Codes deployment specifics for organisations validating support callers
- Examples of identity vulnerabilities such as SSO gaps, MFA gaps, ghost logins, and risky OAuth integrations
👉 Read Push Security's analysis of Scattered Spider identity attack tactics →
Identity-based attacks are the new normal for enterprise defence?
Explore further
Identity-based attack paths are now the default failure mode for enterprise access control. Scattered Spider demonstrates that the most reliable route into modern environments is no longer software exploitation but manipulation of the identity workflow itself. Help desk reset paths, MFA recovery, and browser sessions are now part of the attack surface. Organisations that still separate identity governance from incident response are treating the wrong layer as primary, and practitioners should recast identity process integrity as core security infrastructure.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and a further 47% reporting only partial visibility, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Who is accountable when help desk identity verification fails?
A: Accountability sits with both identity governance and support operations, because the reset process is part of the access control plane. Security teams should define which resets require stronger proof, which managers can approve exceptions, and which accounts are too sensitive for generic support handling. Governance must be explicit before the next impersonation attempt.
👉 Read our full editorial: Scattered Spider shows why identity attacks still beat controls