Scattered Spider identity tradecraft: what IAM teams need to fix

TL;DR: Scattered Spider combines phishing, vishing, MFA bypass, token theft, and identity provider abuse to move from initial compromise to rapid extortion, according to Hydden and the cited public case studies. The real failure is that identity controls still assume verification, privilege, and recovery happen slowly enough to contain human-driven abuse.

NHIMG editorial — based on content published by Hydden: Scattered Spider identity tradecraft and attack vectors

By the numbers:

• The FBI has indicated the group has upwards of 1,000 members.
• Members average between 13-25 years of age.
• Hydden observed consistent activity from December of 2023 through November of 2024.

Questions worth separating out

Q: How should security teams reduce the risk of Scattered Spider-style identity compromise?

A: Security teams should harden recovery, enrollment, and privileged access workflows rather than only focusing on login protection.

Q: Why do MFA and SSO controls still fail against identity-focused intrusions?

A: MFA and SSO fail when attackers steal the factors, enroll their own devices, or replay already satisfied claims.

Q: What do organisations get wrong about internal credential exposure?

A: Many organisations treat internal credentials in chat tools, repositories, and documentation as low-risk because they are not public.

Practitioner guidance

• Harden help desk identity proofing Replace knowledge-based recovery checks with stronger verification for password resets, MFA resets, and device re-enrolment.
• Monitor for credential harvesting inside collaboration tools Search Slack, documentation platforms, code repositories, and ticketing systems for secrets, recovery data, and privileged account references.
• Track federation and PAM changes as attack signals Alert on new device enrolment, MFA policy changes, delegated authentication updates, role membership changes, and unusual privileged actions in PAM and cloud identity systems.

What's in the full article

Hydden's full blog covers the operational detail this post intentionally leaves for the source:

• A broader catalogue of Scattered Spider TTPs across people, credential theft, MFA bypass, and infrastructure abuse.
• Specific examples of the phishing kit behaviour, including copycat identity pages and live credential streaming into attacker channels.
• The longer list of public case studies and acknowledgements that support the aggregate view of the group’s tradecraft.
• The full mitigation checklist for help desk, PAM, cloud identity, and identity event monitoring.

👉 Read Hydden’s analysis of Scattered Spider’s identity-centric attack tradecraft →

Scattered Spider identity tradecraft: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →