Scattered Spider in insurance: are your identity controls keeping up?

TL;DR: Scattered Spider is targeting U.S. insurers through social engineering, help desk abuse, and phishable MFA, using valid credentials and stolen session cookies to bypass legacy controls, according to HYPR. The lesson is that probabilistic identity checks fail when attackers can impersonate users, reset access, and intercept sessions faster than human review cycles can respond.

NHIMG editorial — based on content published by HYPR: How The Scattered Spider Credential Attack Targets Insurance

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams stop help desk fraud from becoming account takeover?

A: Security teams should treat the help desk as a high-risk access control point.

Q: Why do legacy MFA methods fail against adversary-in-the-middle attacks?

A: Legacy MFA fails because the attacker can relay the sign-in flow in real time and steal the authenticated session, not just the password or code.

Q: What breaks when organisations rely on login-time trust alone?

A: Login-time trust breaks when the device or session changes after authentication.

Practitioner guidance

• Remove phishable MFA from critical access paths Prioritise phishing-resistant methods for privileged users, support staff, and high-value applications.
• Treat help desk recovery as a privileged workflow Require deterministic verification before password, MFA, or device reset actions.
• Bind access decisions to device trust signals Use managed-device status, posture, and anomaly checks to step up or block sessions when risk changes.

What's in the full article

HYPR's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step breakdown of the Scattered Spider social engineering sequence against insurance teams
• Detailed explanation of how Evilginx-style AitM flows intercept MFA and session cookies
• Product-specific examples of phishing-resistant MFA and identity verification workflows
• Device trust response logic for blocking risky authentication attempts

👉 Read HYPR's analysis of the Scattered Spider credential attack targeting insurance →

Scattered Spider in insurance: are your identity controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →