Scattered Spider and legacy MFA: what identity teams missed

TL;DR: The MGM and Caesars intrusions show how social engineering, credential abuse, and MFA bypass can still defeat enterprise identity controls, with Reuters linking Scattered Spider to 52 attacks since 2022 and Verizon finding 74% of breaches stem from stolen credentials. Legacy authentication no longer matches the way attackers move through identity systems, and that mismatch is now operational risk.

NHIMG editorial — based on content published by 1Kosmos covering the MGM and Caesars breaches: why legacy MFA is failing enterprise identity

By the numbers:

• Reuters reports the group has been implicated in 52 attacks spanning multiple industries worldwide since 2022.
• A successful data breach can erode customer trust by as much as 44%, according to Google and Ipsos.

Questions worth separating out

Q: How should security teams stop help-desk social engineering from becoming account takeover?

A: Security teams should treat the help desk as part of the identity control plane.

Q: Why do legacy MFA controls fail against support-led attacks?

A: Legacy MFA often protects the sign-in moment, but support-led attacks target the recovery and registration workflow instead.

Q: What breaks when identity provider governance is too loose?

A: When identity provider governance is weak, a single privileged change can create a new trusted path that bypasses the original authentication design.

Practitioner guidance

• Harden help-desk identity verification Require multi-step verification before password resets, authenticator changes, or account recovery actions are approved for any user with access to sensitive systems.
• Restrict privileged MFA re-enrolment Separate the authority to register a new device or authenticator from the authority to use the account, and log every privileged re-enrolment as a high-risk event.
• Review identity provider change controls Treat any addition or alteration of an identity provider as a controlled change request with security approval, break-glass review, and post-change validation.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• The article walks through the specific vishing and impersonation pattern used against outsourced support.
• It explains the difference between legacy MFA assumptions and liveness-based biometric identity verification.
• It outlines how non-phishable authentication is intended to support onboarding and privileged access workflows.
• It describes the cited biometric standards and implementation context behind the source vendor's approach.

👉 Read 1Kosmos's analysis of the MGM and Caesars identity breach pattern →

Scattered Spider and legacy MFA: what identity teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →