M&S ransomware hack: Active Directory & Service Desk security lessons   

​M&S (Marks and Spencers) are a cornerstone of British retail with over 64,000 employees – so it was a shock for many to see them laid low by a ransomware attack in April 2025. The retail giant fell victim to a significant cyber-attack attributed to the hacking group known as Scattered Spider. Attackers reportedly infiltrated M&S’s IT systems as early as February, deploying ransomware that encrypted critical systems and disrupted operations across all 1,049 stores.  

This led to a five-day suspension of online sales, averaging £3.8 million ($5.1 million) in daily losses, and caused a more than £500 million ($668 million) drop in the company’s stock market value. The hackers allegedly stole sensitive domain data, including user credentials, and used a “DragonForce” encryptor to lock systems and demand a ransom. ​While M&S’s physical stores remained operational, they faced ongoing issues such as non-functioning gift card services and restricted return options.  

The breach highlights the growing impact of sophisticated ransomware attacks on major corporations – as well as the ongoing need for strong Active Directory security.  

M&S breach: Attack summary 

• Who was targeted: UK retail brand Marks and Spencer (M&S) 

• Attack type: Ransomware 

• Entry technique: Service desk social engineering leading to Active Directory credential theft

• Impact: Revenue loss, drop in market value, operational disruption 

• Who was responsible: Scattered Spider/UNC3944 (suspected – no responsibility claimed)

How did the M&S ransomware attack happen? 

Marks & Spencer’s compromise began as early as February 2025. Attackers (believed to be the Scattered Spider collective) gained initial access to the retailer’s network and exfiltrated the Windows domain controller’s NTDS.dit file – the core Active Directory database storing password hashes for every domain user. With this file in hand, the threat actors were able to extract and crack those hashes offline, yielding clear-text credentials for a range of accounts. 

Recent reports indicate that Scattered Spider began by calling M&S’s IT service desk, impersonating an internal support engineer to reset passwords and disable multi-factor authentication. With those credentials in hand, they exploited Active Directory to exfiltrate the NTDS.dit file and then deployed DragonForce ransomware across M&S’s estate. This phone-based social-engineering step let the attackers bypass perimeter defenses entirely—no phishing links or network vulnerabilities were needed. Once inside, they moved laterally using legitimate admin tools before launching the encryption payload.

Armed with these credentials, they quietly re-entered the network over subsequent weeks, using legitimate Windows logins to evade detection and move laterally from user workstations to servers and network infrastructure across M&S’s corporate domain. Once sufficient privileges were obtained, the attackers prepared for full system encryption. On 24^th April, they deployed the DragonForce ransomware payload against M&S’s VMware ESXi hosts, encrypting virtual machines that supported e-commerce, payment processing, and logistics applications. This action knocked out contactless payments and online ordering, forcing M&S to take critical systems offline and suspend digital services entirely. 

Interested to know how many weak passwords, breached credentials, and stale accounts are lurking in your Active Directory? Find out with our free read-only auditing tool: Download Specops Password Auditor.  

Who are Scattered Spider? 

The group known as Scattered Spider has been linked to a range of disruptive incidents involving identity compromise and abuse of remote access (often through aggressive social engineering) especially attacks against IT service desks to trick agents into resetting credentials and bypassing MFA. In this case, it’s possible they leveraged similar techniques—such as phishing, MFA manipulation, or IT service impersonation—to gain access.  

They’ve shown a pattern of targeting the human and procedural layers of security rather than relying solely on technical exploits. The M&S breach, if connected, highlights the continuing risk posed by well-resourced threat actors who exploit gaps in identity and access controls rather than purely technological vulnerabilities. The group also claimed responsibility for the recent attack on MGM Resorts.  

Specops analysis: What can we learn from the M&S hack? 

From the M&S incident, the first critical lesson is that Active Directory (AD) environments must be treated as crown jewels and defended accordingly. While attackers getting access to the NTDS.dit file is obviously a serious breach, if your passwords are strong (long, not using common base words, not using existing breached passwords) it can still be quite expensive for an attacker to brute force those hashes to learn the users’ actual passwords. There also needs to be a focus on detecting and containing lateral movement in the event of a breach.  

Implementing the below measures will harden your Active Directory environment against both offline-hash cracking and the misuse of elevated credentials—two of the primary enablers of the M&S attack. 

Best AD practices to follow 

• Enforce modern, length-based password policies: Require a minimum 15-character password for user accounts and at least 30 characters for service accounts to resist brute-force and dictionary attacks. The best way for end users to do this is through easy-to-remember passphrases; service account and other passwords typed less frequently should be randomized using a password generator. Specops Password Policy blocks end users from creating weak passwords and makes it simple to enforce the password policy your organization needs. It also continuously scans your Active Directory against our database of over 4 billion compromised passwords, blocking off attack routes before they can be exploited. Get in touch for a demo or free trial.  

• Encrypt and secure your AD database backups: Robust offline backups of AD databases are essential to ensure recovery without paying ransom – these backups must be stored off-network and regularly tested for restore integrity. Enable ADPasswordEncryptionEnabled to encrypt DSRM and LAPS-backed-up credentials in your NTDS.dit snapshots, ensuring that even stolen backups aren’t readily cracked offline.  

• Detect and contain lateral movement: Enabling and monitoring detailed AD audit logs feeds SIEM and EDR solutions to spot abnormal actions, such as unexpected NTDS replication requests or creation of high-privilege groups. Segmentation of network zones and enforcing least-privilege network firewall rules will slow an intruder’s progress, buying valuable time for incident response teams to isolate affected systems. 

• Minimize and tightly control privileged accounts: Keep the number of Domain Admins and other Tier 0 accounts to an absolute minimum. Place them in the “Protected Users” group and require Multi-Factor Authentication for any interactive or remote logins.  

• Monitor and audit AD password activity: Enable detailed AD auditing to detect anomalous password-related events—failed reset attempts, atypical replication requests, or bulk changes to service-account credentials. Monitor service-desk logs for unusual reset requests (e.g. multiple high-privilege password resets, MFA removals, or calls from spoofed internal numbers).

• Multi-factor authentication (MFA): Multi-Factor Authentication (MFA) on all administrative and service accounts should be a non-negotiable. Combined with the use of Just-In-Time (JIT) privileged access, this greatly reduces the risk of “pass-the-hash” and credential stuffing attacks. Ensure that any password-reset or MFA-reset request via your service desk requires out-of-band verification or manager approval—to prevent social-engineering vectors.

Secure your Service Desk against social engineering

Lock down service-desk permissions so that agents cannot reset credentials for admin or IT-privileged accounts without a secondary approval workflow. To lock down your service desk against social-engineering threats like those used by Scattered Spider, try Specops Secure Service Desk for secure verification, granular reset controls, and full audit trails. Give your agents the support they need – try Secure Service Desk for free.