Scattered Spider and airline identity risk: what IAM teams missed

TL;DR: Scattered Spider’s expansion into airlines shows how help desk social engineering, MFA bypass, and trusted vendor abuse can turn identity processes into the easiest entry point, according to 1Kosmos. The breach pattern is a governance failure, not a perimeter failure: organisations still trust stories, devices, and urgency more than verified identity.

NHIMG editorial — based on content published by 1Kosmos: The Threat is Real and It's Here Now

By the numbers:

• The MGM attack cost that organization $100 million in operational disruption.

Questions worth separating out

Q: How should security teams stop help desk social engineering from becoming an account takeover path?

A: Security teams should treat identity recovery as a privileged workflow.

Q: Why do traditional MFA controls fail against social engineering campaigns like Scattered Spider?

A: Traditional MFA fails when the factor can be redirected, coerced, or socially engineered.

Q: What breaks when contractor identities are governed less strictly than employee identities?

A: When contractor identities receive weaker verification and slower offboarding, attackers can use the third-party relationship as an easier entry point into production systems.

Practitioner guidance

• Tighten identity recovery paths Require stronger proof before any password reset, MFA re-enrolment, or device change is accepted.
• Harden MFA registration controls Eliminate phone-mediated approval paths for privileged users and replace them with phishing-resistant methods for high-risk accounts.
• Review contractor access as a primary attack path Audit third-party accounts for the same identity proofing, logging, and offboarding rigor used for employees.

What's in the full analysis

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step examples of how Scattered Spider impersonates airline employees and contractors during support calls
• Specific identity-first controls for biometric verification, passwordless access, and identity-bound authentication
• Operational scenarios showing how help desk, contractor, and emergency-access workflows can be hardened in practice
• Regulatory and compliance references that matter to airline identity programmes across multiple jurisdictions

👉 Read 1Kosmos's analysis of Scattered Spider attacks on airline identity systems →

Scattered Spider and airline identity risk: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →