
ra2 studio - stock.adobe.com
Scattered Spider playbook evolving fast, says Microsoft
Microsoft warns users over notable evolutions in Scattered Spider's attack playbook, and beefs up some of the defensive capabilities it offers to customers in response.
Microsoft has rolled out a series of targeted enhancements across its Defender and Sentinel cyber security ecosystem designed to help its customers guard against the possibility of falling victim to Scattered Spider as the cyber gang continues to evolve its playbook.
Scattered Spider – referred to in Microsoft’s threat telemetry as Octo Tempest – ramped up the pace of its activity in April and May with disruptive attacks aimed at UK high street retailers. It then shifted up its targeting to go after insurance organisations, then in late June appeared to pivot to the aviation sector, with several possible victims emerging.
The cyber gang uses varying methods in its attacks, and as before its its most common approaches involve gaining initial access through social engineering attacks and user impersonation to fool service desk workers through phone calls, emails and messages, SMS-based phishing using adversary-in-the-middle domains mimicking legitimate organisations, the use of tools such as ngrok, Chisel and AADInternals, and attacking hybrid identity infrastructures and exfiltrating data to support extortion and ransomware.
However, as has been seen recently, the gang now seems to favour the use of DragonForce ransomware and has been particularly focused on VMWare ESX hypervisor environments.
Moreover, said Microsoft, in contrast to previous attack patterns where Scattered Spider exploited cloud identity privileges in order to attain on-premises access, it now appears to be hitting both on-prem accounts and infrastructure during the initial stage of its intrusions, prior to transitioning to cloud access.
“In recent weeks, Microsoft has observed Octo Tempest, also known as Scattered Spider, impacting the airlines sector, following previous activity impacting retail, food services, hospitality organisations, and insurance between April and July 2025,” said the Microsoft Defender research team in a blog update.
“This aligns with Octo Tempest’s typical patterns of concentrating on one industry for several weeks or months before moving on to new targets. Microsoft Security products continue to update protection coverage as these shifts occur.”
More assistance
To better assist its customers, Microsoft has now updated the range of detections available within Defender, spanning endpoints, identities, software-as-a-service (SaaS) applications, email and collaboration tools, and cloud workloads.
It is also enhancing Defender’s built-in attack disruption capabilities – which drawn on multi-domain signals, new threat intel, and AI-backed machine learning models to try to predict and disrupt a threat actor’s next move – essentially by containing and isolating the compromised asset. Microsoft said that based on its learnings from previous Scattered Spider attacks, this will also disable the user account used by the gang and revoke all existing active sessions it has open.
Elsewhere within Defender, Microsoft has upped its advanced hunting capabilities to help organisations identify and ward off the gang’s more aggressive social engineering attacks on privileged individuals, even going so far as to identify who within the organisation is most likely to be targeted before an attack begins.
Analysts will be able to question first- and third-party data sources through Microsoft Defender XDR and Microsoft Sentinel, as well as gaining exposure insights from Microsoft Security Exposure Management, which equips teams with capabilities like critical asset protection and attack path analysis.
Exposure Management now also contains threat actor initiatives to unify insights on Scattered Spider to harden their defences and act quicker. The initiative features guide on key Scattered Spider tactics, techniques and procedures (TTPs), and as well as a more broad ransomware initiative focused on reducing exposure to extortion attacks, which also offers Scattered Spider-specific guidance.
The latest guidance, which can be read here, also contains core advice for any and all users to take in regard to managing their cloud, endpoint and identity security postures.
Read more on this story
- 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
- 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
- 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
- 29 April: An infamous hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
- 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
- 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
- 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
- 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
- 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
- 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
- 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same gang that supposedly attacked M&S and Co-op in the UK.
- 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
- 11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signaling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
- 13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
- 17 June: Following a series of high-profile attacks on prominent retailers and consumer brands, a group of criminal hackers appears to be expanding their targeting to the insurance sector.
- 20 June: The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from cyber attacks on M&S and Co-op.
- 27 June: Multiple reports are emerging of cyber attacks on airlines – Google Cloud’s Mandiant believes them to be linked.
- 2 July: Australian flag carrier Qantas is investigating significant data theft of personal information for up to 6 million customers after a third-party platform used by its call centre was compromised.
- 2 July: A developing cyber attack at Australian airline Qantas that started at a third-party call centre is already being tentatively attributed to the same gang that hit UK retailers. Find out more and learn about the next steps for those affected.
- 8 July: The government should extend ransomware reporting mandates to businesses to help gather more intelligence and better support victims, says M&S chairman Archie Norman.
- 9 July: Australian flag carrier begins notifying millions of individuals after a cyber attack on a call centre, confirming that while financial and passport details are safe, a significant volume of other personal information was compromised.
- 10 July: Police have made four arrests in connection with a trio of cyber attacks on UK retailers Marks & Spencer, Co-op and Harrods.
- 14 July: French luxury goods retailer LVMH has disclosed multiple cyber attacks in 2025 so far, and their impact is now spreading to the UK as a new incident affecting Louis Vuitton comes to light.