TL;DR: Scattered Spider is targeting U.S. insurers through social engineering, help desk abuse, and phishable MFA, using valid credentials and stolen session cookies to bypass legacy controls, according to HYPR. The lesson is that probabilistic identity checks fail when attackers can impersonate users, reset access, and intercept sessions faster than human review cycles can respond.
NHIMG editorial — based on content published by HYPR: How The Scattered Spider Credential Attack Targets Insurance
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams stop help desk fraud from becoming account takeover?
A: Security teams should treat the help desk as a high-risk access control point.
Q: Why do legacy MFA methods fail against adversary-in-the-middle attacks?
A: Legacy MFA fails because the attacker can relay the sign-in flow in real time and steal the authenticated session, not just the password or code.
Q: What breaks when organisations rely on login-time trust alone?
A: Login-time trust breaks when the device or session changes after authentication.
Practitioner guidance
- Remove phishable MFA from critical access paths Prioritise phishing-resistant methods for privileged users, support staff, and high-value applications.
- Treat help desk recovery as a privileged workflow Require deterministic verification before password, MFA, or device reset actions.
- Bind access decisions to device trust signals Use managed-device status, posture, and anomaly checks to step up or block sessions when risk changes.
What's in the full article
HYPR's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step breakdown of the Scattered Spider social engineering sequence against insurance teams
- Detailed explanation of how Evilginx-style AitM flows intercept MFA and session cookies
- Product-specific examples of phishing-resistant MFA and identity verification workflows
- Device trust response logic for blocking risky authentication attempts
👉 Read HYPR's analysis of the Scattered Spider credential attack targeting insurance →
Scattered Spider in insurance: are your identity controls keeping up?
Explore further
Legacy MFA is a trust assumption, not a guarantee of identity. Scattered Spider succeeds because push approvals, OTPs, and session handoff were built for a world where attackers did not sit in the middle of the conversation. The control fails when a proxy can relay the authentication flow in real time and capture the resulting session. Practitioners should treat phishable MFA as a transitional control, not an assurance boundary.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when session hijack succeeds through identity recovery abuse?
A: Accountability sits with the identity programme, the service desk workflow owner, and the application team that accepted the session as trustworthy. Recovery, verification, and session governance are shared controls. If any one of them is weak, the attacker can convert social engineering into authenticated access without touching a traditional exploit.
👉 Read our full editorial: Scattered Spider’s insurance campaign exposes identity assurance gaps