Recent cyber incidents linked to the group known as Scattered Spider have highlighted a growing challenge for organisations. The most effective attacks are no longer driven by technical breakthroughs but by the ability to exploit trust, process gaps and human behaviour.
As Rob Demain, CEO of e2e-assure, said: “It’s not a failure of knowledge, it’s a reflection of how complex modern cyber threats have become.”
From the MGM Resorts breach back in 2023 to recent disruptions in UK retail, this group has shown how easily attackers can bypass traditional defences by targeting identity systems, third-party access and internal workflows. These events remind us that building resilience requires not just strong technology, but well-structured people and processes ready to respond under pressure.
What We’re Seeing in the Field
- Process manipulation is the common thread. In many of these attacks, the initial access point wasn’t a software vulnerability but a conversation. Attackers convinced helpdesk teams to reset credentials or approve MFA changes through convincing impersonation. These lapses aren’t isolated. They reflect a broader need to strengthen verification procedures and reduce reliance on assumed trust.
- Identity platforms are now critical infrastructure. Services like Okta and Entra ID are being used as launchpads for lateral movement and privilege escalation. Once compromised, they give attackers the ability to move quickly and quietly across environments. These platforms deserve the same level of scrutiny as core network infrastructure.
- Third-party access remains a persistent risk. In one recent case, attackers reportedly used credentials from an external IT provider to access a major UK retailer. This reinforces the need for visibility and governance across the supply chain. Trust in partners must be matched with clear controls and regular oversight.
- Phishing infrastructure is being scaled across industries. Recent analysis uncovered over 500 domains registered to impersonate enterprise platforms and identity systems. Many mimic helpdesks or SSO portals. These sites are designed to deceive employees in sectors such as manufacturing, healthcare, finance and aviation. The registration patterns suggest a coordinated effort to pre-position domains for future credential harvesting campaigns.
Strengthening Defences with Practical Measures
Based on these recent trends, organisations looking to build long-term resilience may wish to consider the following actions:
- Limit administrative access to known IP ranges and block traffic from anonymised networks
- Monitor login activity for unusual patterns in device, location or session behaviour
- Enforce strict identity verification for helpdesk interactions, especially those involving privileged accounts
- Use threat hunting playbooks to investigate anomalies such as new device registrations or concurrent logins
- Apply least privilege principles across internal teams and third-party roles, with regular access reviews
These steps reflect a broader shift toward proactive governance and risk-aware decision-making rather than purely technical measures.
Leadership Considerations: Culture, Visibility and Trust
Even the most advanced technologies have limits. Building true resilience depends equally on clear judgement, strong governance, and embedding security into everyday working practices. This is a leadership responsibility that extends beyond IT, shaping culture, communication, and accountability across the organisation.
Leaders should consider the following steps:
- Remove operational details that attackers could misuse by reviewing all public-facing materials, including employee profiles and case studies.
- Include realistic social engineering scenarios in awareness training and simulation exercises.
- Promote a culture where verifying requests is standard practice, not an exception.
These actions create an environment where security becomes a natural part of decision-making, rather than something only activated in a crisis.
Final Thoughts
Groups like Scattered Spider succeed not because of sophisticated technology but because they understand how organisations operate day to day. Addressing this reality calls for a response rooted in empathy, transparency, and shared commitment.
These incidents are not about assigning blame. These incidents show that every organisation faces potential exposure. The most effective preparation is clarity, knowing what to protect, how to detect change, and how to respond under pressure.
As Rob Demain puts it:
“Our response should be rooted in empathy, collaboration, and a shared commitment to making the entire ecosystem more resilient.”