Scattered Spider playbook evolving fast, says Microsoft
ra2 studio – stock.adobe.com
Microsoft warns users over notable evolutions in Scattered Spider’s attack playbook, and beefs up some of the defensive capabilities it offers to customers in response
Microsoft has rolled out a series of targeted enhancements across its Defender and Sentinel cyber security ecosystem designed to help its customers guard against the possibility of falling victim to Scattered Spider as the cyber gang continues to evolve its playbook.
Scattered Spider – referred to in Microsoft’s threat telemetry as Octo Tempest – ramped up the pace of its activity in April and May with disruptive attacks aimed at UK high street retailers. It then shifted up its targeting to go after insurance organisations, and in late June appeared to pivot to the aviation sector, with several possible victims emerging.
The cyber gang uses varying methods in its attacks and, as before, its most common approaches involve gaining initial access through social engineering attacks and user impersonation to fool service desk workers through phone calls, emails and messages, SMS-based phishing using adversary-in-the-middle domains mimicking legitimate organisations, the use of tools such as ngrok, Chisel and AADInternals, and attacking hybrid identity infrastructures and exfiltrating data to support extortion and ransomware.
However, as has been seen recently, the gang now seems to favour the use of DragonForce ransomware and has been particularly focused on VMware ESX hypervisor environments.
Moreover, said Microsoft, in contrast to previous attack patterns where Scattered Spider exploited cloud identity privileges in order to attain on-premise access, it now appears to be hitting both on-premise accounts and infrastructure during the initial stage of its intrusions, prior to transitioning to cloud access.
“In recent weeks, Microsoft has observed Octo Tempest, also known as Scattered Spider, impacting the airlines sector, following previous activity impacting retail, food services, hospitality organisations and insurance between April and July 2025,” said the Microsoft Defender research team in a blog update.
“This aligns with Octo Tempest’s typical patterns of concentrating on one industry for several weeks or months before moving on to new targets. Microsoft Security products continue to update protection coverage as these shifts occur.”
More assistance
To better assist its customers, Microsoft has updated the range of detections available within Defender, spanning endpoints, identities, software-as-a-service (SaaS) applications, email and collaboration tools, and cloud workloads.
It is also enhancing Defender’s built-in attack disruption capabilities – which draw on multi-domain signals, new threat intel, and AI-backed machine learning models to try to predict and disrupt a threat actor’s next move – essentially by containing and isolating the compromised asset. Microsoft said that based on its learnings from previous Scattered Spider attacks, this will also disable the user account used by the gang and revoke all existing active sessions it has open.
Elsewhere within Defender, Microsoft has upped its advanced hunting capabilities to help organisations identify and ward off the gang’s more aggressive social engineering attacks on privileged individuals, even going so far as to identify who within the organisation is most likely to be targeted before an attack begins.
Analysts will be able to question first- and third-party data sources through Microsoft Defender XDR and Microsoft Sentinel, as well as gaining exposure insights from Microsoft Security Exposure Management, which equips teams with capabilities like critical asset protection and attack path analysis.
Exposure Management now also contains threat actor initiatives to unify insights on Scattered Spider to harden their defences and act quicker. The initiative features a guide on key Scattered Spider tactics, techniques and procedures (TTPs), and as well as a broader ransomware initiative focused on reducing exposure to extortion attacks, which also offers Scattered Spider-specific guidance.
The latest guidance, which can be read here, also contains core advice for any and all users to take in regard to managing their cloud, endpoint and identity security postures.
Read more on Business continuity planning
Co-op chief ‘incredibly sorry’ for theft of 6.5m members’ data
By: Alex Scroxton
Luxury retailer LVMH says UK customer data was stolen in cyber attack
By: Alex Scroxton
M&S calls for mandatory ransomware reporting
By: Alex Scroxton
Scattered Spider link to Qantas hack is likely, say experts
By: Alex Scroxton
