Scattered Spider playbook evolving fast, says Microsoft
Microsoft has rolled out a series of targeted enhancements across its Defender and Sentinel cyber security ecosystem designed to help its customers guard against the possibility of falling victim to Scattered Spider as the cyber gang continues to evolve its playbook.
Scattered Spider – referred to in Microsoft’s threat telemetry as Octo Tempest – ramped up the pace of its activity in April and May with disruptive attacks aimed at UK high street retailers. It then shifted up its targeting to go after insurance organisations, then in late June appeared to pivot to the aviation sector, with several possible victims emerging.
The cyber gang uses varying methods in its attacks, and as before its its most common approaches involve gaining initial access through social engineering attacks and user impersonation to fool service desk workers through phone calls, emails and messages, SMS-based phishing using adversary-in-the-middle domains mimicking legitimate organisations, the use of tools such as ngrok, Chisel and AADInternals, and attacking hybrid identity infrastructures and exfiltrating data to support extortion and ransomware.
However, as has been seen recently, the gang now seems to favour the use of DragonForce ransomware and has been particularly focused on VMWare ESX hypervisor environments.
Moreover, said Microsoft, in contrast to previous attack patterns where Scattered Spider exploited cloud identity privileges in order to attain on-premises access, it now appears to be hitting both on-prem accounts and infrastructure during the initial stage of its intrusions, prior to transitioning to cloud access.
“In recent weeks, Microsoft has observed Octo Tempest, also known as Scattered Spider, impacting the airlines sector, following previous activity impacting retail, food services, hospitality organisations, and insurance between April and July 2025,” said the Microsoft Defender research team in a blog update.
“This aligns with Octo Tempest’s typical patterns of concentrating on one industry for several weeks or months before moving on to new targets. Microsoft Security products continue to update protection coverage as these shifts occur.”
More assistance
To better assist its customers, Microsoft has now updated the range of detections available within Defender, spanning endpoints, identities, software-as-a-service (SaaS) applications, email and collaboration tools, and cloud workloads.
It is also enhancing Defender’s built-in attack disruption capabilities – which drawn on multi-domain signals, new threat intel, and AI-backed machine learning models to try to predict and disrupt a threat actor’s next move – essentially by containing and isolating the compromised asset. Microsoft said that based on its learnings from previous Scattered Spider attacks, this will also disable the user account used by the gang and revoke all existing active sessions it has open.
Elsewhere within Defender, Microsoft has upped its advanced hunting capabilities to help organisations identify and ward off the gang’s more aggressive social engineering attacks on privileged individuals, even going so far as to identify who within the organisation is most likely to be targeted before an attack begins.
Analysts will be able to question first- and third-party data sources through Microsoft Defender XDR and Microsoft Sentinel, as well as gaining exposure insights from Microsoft Security Exposure Management, which equips teams with capabilities like critical asset protection and attack path analysis.
Exposure Management now also contains threat actor initiatives to unify insights on Scattered Spider to harden their defences and act quicker. The initiative features guide on key Scattered Spider tactics, techniques and procedures (TTPs), and as well as a more broad ransomware initiative focused on reducing exposure to extortion attacks, which also offers Scattered Spider-specific guidance.
The latest guidance, which can be read here, also contains core advice for any and all users to take in regard to managing their cloud, endpoint and identity security postures.
Source link
