TL;DR: Scattered Spider’s expansion into airlines shows how help desk social engineering, MFA bypass, and trusted vendor abuse can turn identity processes into the easiest entry point, according to 1Kosmos. The breach pattern is a governance failure, not a perimeter failure: organisations still trust stories, devices, and urgency more than verified identity.
NHIMG editorial — based on content published by 1Kosmos: The Threat is Real and It's Here Now
By the numbers:
- The MGM attack cost that organization $100 million in operational disruption.
Questions worth separating out
Q: How should security teams stop help desk social engineering from becoming an account takeover path?
A: Security teams should treat identity recovery as a privileged workflow.
Q: Why do traditional MFA controls fail against social engineering campaigns like Scattered Spider?
A: Traditional MFA fails when the factor can be redirected, coerced, or socially engineered.
Q: What breaks when contractor identities are governed less strictly than employee identities?
A: When contractor identities receive weaker verification and slower offboarding, attackers can use the third-party relationship as an easier entry point into production systems.
Practitioner guidance
- Tighten identity recovery paths Require stronger proof before any password reset, MFA re-enrolment, or device change is accepted.
- Harden MFA registration controls Eliminate phone-mediated approval paths for privileged users and replace them with phishing-resistant methods for high-risk accounts.
- Review contractor access as a primary attack path Audit third-party accounts for the same identity proofing, logging, and offboarding rigor used for employees.
What's in the full analysis
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of how Scattered Spider impersonates airline employees and contractors during support calls
- Specific identity-first controls for biometric verification, passwordless access, and identity-bound authentication
- Operational scenarios showing how help desk, contractor, and emergency-access workflows can be hardened in practice
- Regulatory and compliance references that matter to airline identity programmes across multiple jurisdictions
👉 Read 1Kosmos's analysis of Scattered Spider attacks on airline identity systems →
Scattered Spider and airline identity risk: what IAM teams missed?
Explore further
Identity trust, not network trust, is the attack surface Scattered Spider is exploiting. The airline cases show that a convincing caller can still outrun a mature perimeter when support processes are allowed to make identity decisions on narrative and urgency. That is why help desk workflows now function as a frontline security control, not an administrative back office. Practitioners should treat every recovery path as a potential intrusion path.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when a support workflow adds an attacker-controlled MFA device?
A: Accountability sits with the organisation that allowed a high-risk identity change to happen without adequate proof and approval. In practice, IAM, service desk leadership, and security governance all share responsibility for defining what support can change, who may approve it, and how exceptions are reviewed after the fact.
👉 Read our full editorial: Scattered Spider’s airline campaign exposes identity trust failures