Cybersecurity company ReliaQuest’s report revealed that the financially driven threat group Scattered Spider (also known as Octo Tempest, UNC3944, Muddled Libra, Starfraud) is attacking managed service providers (MSPs) and IT providers. This native English-speaking threat group has been in operation since 2022. Scattered Spider members, probably 19 to 22-year-olds, are known to live in the U.S. and the U.K. The group began as a SIM swapping group attacking telecoms-related companies, but has since developed into a worldwide threat, carrying out other criminal activities, particularly data extortion.
Scattered Spider threat actors are pros in social engineering and conduct push bombing, phishing attacks, and SIM swapping. Scattered Spider conducts ransomware attacks as an affiliate for BlackCat/ALPHV, DragonForce cartel, and RansomHub. In May 2025, Scattered Spider conducted DragonForce ransomware attacks on Marks & Spencer and Harrods in the U.K.
While looking into the latest retail business attacks, ReliaQuest determined a few of the strategies employed by Scattered Spider. Instead of attacking organizations directly, the group uses social engineering attacks to use human trust, frequently performing phishing campaigns utilizing typosquatted domains, which closely resemble the brands they imitate. Scattered Spider actors can get around multifactor authentication (MFA) with the use of phishing tools like Evilginx, which helps with phishing login information and session cookies.
When phishing attacks aren’t successful, attackers conduct more personalized campaigns, mining data from platforms like ZoomInfo, and LinkedIn. The group has likewise been seen attacking helpdesk personnel, imitating high-level persons like the CFO, and asking for an emergency password reset or the sign-up of another MFA. ReliaQuest analyzed over 600 domains linked to the group, 81% of which imitated technology vendors like identity providers (IdP), virtual private network (VPN) providers, and single sign-on (SSO) services. The domains and subdomains usually use keywords like “okta,” “helpdesk,” “vpn,” and “sso.”
Scattered Spider prefer IT vendors, MSPs, and their IT support systems as targets to get the high-value information of system managers, CFOs, and CISOs. MSPs and IT vendors are appealing targets for threat actors because a successful attack gives the threat actor access to the systems of numerous downstream clients, raising the returns of attacks with minimal work. The Marks & Spencer attack involved utilizing the IT service provider Tata Consultancy Services (TCS) breach accounts to acquire access to Marks & Spencer’s network. A Sophos report stated that Scattered Spider was seen attacking an MSP by taking advantage of SimpleHelp vulnerabilities. ReliaQuest wants the group to continue changing their strategies and adopt deepfake AI technology to increase the success of their social engineering activities.
Although Scattered Spider is attacking suppliers lately, the group is regarded to cause a threat to the healthcare industry, having carried out attacks on healthcare companies in the past. The HHS Health Sector Cybersecurity Coordination Center (HC3) released a Scattered Spider threat report in October 2024, cautioning the industry of the possibility of Scattered Spider attacks and giving mitigation tips.
Because the group’s attacks are quite centered on social engineering, businesses should make sure they perform regular HIPAA security awareness training to enhance knowledge of social engineering and phishing, in addition to phishing simulations to check the efficiency of training. Phishing-resistant MFA ought to be applied where possible, and ReliaQuest proposes asking MSPs, contractors, and privileged consumers to reach high-value products through secured jumpboxes with compulsory MFA for all RDP links, and to and from the jumpbox. SharePoint permissions must be limited to control access to sensitive records, with access restricted to people who have a reliable purpose to view those resources.
