MGM Resorts hack.. Okta hack.. M&S hack.. Qantas airlines hack.. and many more.
Different targets. But same attacker.
They call themselves “Scattered Spider.”
Every time you come across these stories, one question pops up:
How can a single group break into so many big companies so easily?
Almost like its nothing!
Today, we take a look at 5 common attack methods this group uses that show exactly why they’re so effective — and why so many big organizations fall to the same tricks.
1) Targeting IT Help Desks
This is perhaps the simplest, yet most devastating tactic they use.
They start by identifying high privileged employees — IT admins, infrastructure engineers, cloud leads — often through LinkedIn or public org charts.
Then they call the company’s IT help desk, impersonating that employee.
They provide convincing details gleaned from social media or past breaches: name, title, manager, office location.
The goal?
Persuade the help desk to reset the employee’s password or MFA device.
Once that happens, it’s game over.
The attackers now have admin access.
It’s not fancy. It doesn’t involve malware or zero-days.
It’s pure social engineering.
And it has repeatedly served as their initial entry point in many recent hacks.
2) Taking Over Cloud Identity Platforms
Once inside, they don’t just settle for local systems.
They immediately move to compromise cloud identity platforms — like Okta, Entra ID (Azure AD), or Ping.
With admin credentials, they establish inbound federation.
This means they set up a trust relationship so their own malicious identity provider can issue tokens accepted by the victim’s systems.
Result?
They can generate valid authentication tokens on demand, impersonating anyone, accessing anything.
It’s like forging a master passport that customs will happily stamp.
No malware needed.
3) Rapid Domain Rotation
Phishing is still one of their favorite techniques.
But they do it smart.
They spin up short-lived domains with keywords like:
“okta,” “sso,” “help,” “corp,” “login.”
These sites might only live for a few hours before registrars or security vendors take them down.
But that’s all they need — a few hours is enough for someone to click.
Because domains are cheap and disposable, they simply move on, creating the next lure.
No need for longevity when all you need is one user to slip.
4) Targeting VM Infrastructure
When it comes to ransomware, Scattered Spider doesn’t waste time encrypting thousands of individual laptops.
Instead, they hit the hypervisor layer — targeting VMWare ESXi hosts.
A hypervisor runs multiple virtual servers on a single physical machine.
By compromising it, attackers can encrypt all the VMs at once, causing catastrophic outages.
Most endpoint security tools only run inside individual virtual machines.
By attacking the hypervisor directly, they completely bypass those protections.
It’s devastating. And incredibly smart.
5) Hitting an Entire Sector
Perhaps the most worrying pattern:
They don’t just hit one company.
Once they figure out a playbook that works for, say, a retailer, they quickly reuse it against other companies in the same industry.
When M&S was breached, other major retailers like Harrods were also targeted around the same period.
It’s like watching a wave ripple across an entire sector, as the same techniques break through similar defenses.
That’s how you see multiple major brands reporting breaches within weeks of each other — not coincidence, but an intentional sector-wide campaign.
How do you defend against all this?
There’s no single magic tool.
No silver bullet product you can buy off the shelf.
Defense boils down to getting the fundamentals right — consistently, across people, processes, and technology.
Here’s what that looks like in practice:
🔐 Harden your help desk process
Train help desk staff relentlessly on social engineering risks.
Require multiple out-of-band verifications before resetting passwords or MFA devices for privileged accounts.
Use pre-established secure contact numbers or escalation chains.
🛡 Decouple privileged access
Avoid linking your identity platforms (like Okta or Azure AD) directly to critical infrastructure consoles.
Use separate identity boundaries or administrative accounts that can’t be federated.
🚪 Lock down hypervisors
Strictly limit who can access ESXi hosts or vCenter servers.
Enforce MFA on these consoles and monitor for any abnormal access attempts.
Keep hypervisors on isolated management networks — no direct internet exposure.
🔍 Monitor for domain federation abuse
For organizations using Microsoft Entra ID, this is critical:
Regularly check the domain names registered in your Entra ID tenant, paying close attention to domains marked as Federated.
Thoroughly review the federation configuration for these domains to ensure it hasn’t been tampered with.
Attackers often abuse federation to generate valid tokens from their own malicious identity providers. Catching unexpected or unauthorized federation is essential.
🕵 Identity session risk & anomaly detections
Your SOC should monitor for:
Authentications from infrequent locations, especially from known proxy and VPN service providers.
Attempts to change authentication methods or criteria (like adding new MFA devices).
Anomalies that reflect social engineering tactics, such as repeated failed attempts followed by a successful password reset.
🌐 Tackle phishing at multiple layers
Use domain monitoring to detect lookalike phishing sites.
Deploy browser isolation or advanced anti-phishing controls.
Train employees on identifying suspicious sites and encourage rapid reporting.
🔍 Prepare for sector-wide campaigns
Participate in industry threat intelligence sharing groups.
Study peer incidents to proactively audit similar gaps in your own environment.
The final takeaway
Big breaches don’t always happen because of advanced exploits.
They often start with simple gaps, overlooked basics, and attackers who are patient enough to string those small weaknesses into a large compromise.
“Hackers love simplicity.
Strong fundamentals take that away.”
So invest in the boring stuff:
Better processes for your help desk.
Strong segmentation and identity architecture.
Hypervisor hardening.
And a culture where employees actually pick up the phone and verify.
Because in the end, it’s not about being bulletproof.
It’s about not being the easiest door on the street to open.