What’s Changed in Scattered Spider’s Tactics, Techniques & Procedures (TTPs)

Allianz, Aflac, Caesars, MGM Resorts, Twilio, Snowflake customers, M&S, Co-Op, Harrods, Victoria's Secret, Philadelphia Insurance, Erie Insurance, Hawaiian Airlines, Qantas and others have all been breached and they are not slowing down.

In the last six months (approx. January–July 2025), Scattered Spider has:

1. Refined MFA-bypassing AiTM phishing kits to steal authentication tokens in real time, effectively defeating SMS or push-based MFA promotes, and adapted attack infrastructure to use Cloudflare-hosted pages and dynamic DNS domains (Medium).

2. Expanded targeting.

3. Continued heavy reliance on social engineering - help-desk impersonation, vishing, SIM

swapping, MFA fatigue attacks - with increasing sophistication in cultural fluency, identity abuse, and pretexting.

4. Escalated use of living-off-the-land (LOTL) tools and legitimate remote-access utilities (AnyDesk, TeamViewer, Screenconnect), and BYOVD (Bring-Your-Own Vulnerable Driver) techniques to kill EDR processes.

5. Persisted in cloud-native identity-centric compromise - abusing misconfigurations in AzureAD, Okta, AWS IAM, identity federation, automating pivot and exfiltration entirely through native services.

6. Introduced cloud log tampering, including selective deletion of CloudTrail or Azure audit logs, to hinder detection and forensic analysis.

7. Continued collaboration with ransomware affiliates like BlackCat/ALPHV and DragonForce - prioritizing data exfiltration and double extortion over outright encryption.

BLUF

Scattered Spider is a formidable amalgamation of TTP and resources. The utilization of advanced and Orchestrated Defense in Depth is able to mitigate such TTP’s. This takes consistent and persistent defensive measures. Contact us for free mitigation strategies, techniques and best practices…no charge…even if you are not using our platform and services…not strings just smart defense in depth!

Stay safe out there!