Scattered Spider: When the Adversary Speaks Better English Than Your Help Desk

Threat Intelligence

UNC3944 turned social engineering into a repeatable operating system. MGM, Caesars, and Twilio paid the tuition. Here is what the playbook looks like and how to harden the help desk against it.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 3, 2024 · 8 min read

Scattered Spider is the rare threat cluster that has changed how CISOs talk about identity. Not because it dropped a novel implant, but because it proved a help desk phone call is faster than any malware loader.

Actor Profile

Tracked as Scattered Spider by CrowdStrike, UNC3944 by Mandiant, 0ktapus by Group-IB, Octo Tempest by Microsoft, and Scatter Swine by Okta. Members are largely native English speakers based in the US and UK, mostly under 25. Several arrests in 2024 confirmed the demographic. The group operates as a loose affiliate network rather than a top-down organization and has worked with ALPHV/BlackCat, RansomHub, and Qilin.

Attribution caveat: the public arrests cover only the most visible operators. The community itself is larger, channelized on Telegram and Discord, and recruits constantly.

TTPs

Social engineering is the first stage, every time. The group calls IT help desks impersonating real employees scraped from LinkedIn, often citing recent internal events to build credibility. The ask is always the same: reset MFA, reset the password, or enroll a new device.

• Help-desk vishing for MFA reset (MITRE T1656)
• SIM-swap against executives and IT staff (T1451)
• MFA fatigue / push bombing against Duo, Okta Verify, Microsoft Authenticator (T1621)
• Adversary-in-the-middle phishing kits cloning Okta, Azure, ADFS login pages (T1557)
• Post-access abuse of legitimate RMM tools: AnyDesk, ScreenConnect, TeamViewer, Splashtop
• Living-off-the-land in cloud: Azure VM creation, hypervisor access via vCenter, Snowflake exfil

Notable Victims

Twilio and MailChimp in 2022 set the template. Caesars Entertainment paid roughly $15M in September 2023. MGM Resorts refused to pay and lost an estimated $100M to slot-machine and reservation-system downtime in the same week. Through 2024 the cluster was tied to intrusions at Transport for London, Snowflake customer environments, and multiple insurance and BPO companies.

MGM did not fall to a zero-day. It fell to a ten-minute help desk call.

Detection Signals

Detection has to live where the attack happens, which is identity infrastructure and the help desk ticket queue, not the endpoint.

• MFA factor reset events followed by a new sign-in from a different ASN within 60 minutes
• Help-desk ticket macros with text matching 'lost phone', 'new device', 'cannot receive push'
• Push notification volume spikes against a single user (10+ in under 5 minutes)
• Successful auth from a residential proxy ASN immediately after a factor enrollment event
• Azure or AWS console logins from new geographies followed by RMM tool installation

Defensive Controls

The defense is procedural before it is technical. Most organizations are one help desk script away from the MGM outcome.

1. Make help-desk identity verification multi-factor and out-of-band. Manager callback to a known number, not a number the caller provides.
2. Require video verification for any MFA or password reset on accounts with admin entitlements.
3. Move to phishing-resistant MFA (FIDO2, passkeys, Okta FastPass with device trust). Push and SMS are no longer adequate for privileged users.
4. Restrict which IdP admin roles can reset factors. Audit those resets daily.
5. Block consumer RMM tools (AnyDesk, ScreenConnect) at the EDR level unless explicitly allowlisted by asset.

Scattered Spider is uncomfortable to defend against precisely because the attack surface is human and the controls are organizational. The good news: every control above is cheaper than a $100M outage.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.