Scattered Spider service desk attacks: How to defend your organization

​Scattered Spider is a disparate hacking collective that has surged to prominence by using sophisticated social engineering tactics. One of their key tactics is exploiting people – specifically, corporate service desks. They’ve recently hit the headlines by allegedly duping an IT help desk at Marks & Spencer into resetting a password that let them breach internal networks.

The group have also been linked to the recent Co-op and Harrods attacks, which led to stolen member data and crippled payment systems. This has led to the UK’s National Cybersecurity Centre (NCSC) warning organizations to be wary of phony IT helpdesk calls.

Any organization with a service could theoretically be targeted by these low-tech, high-impact tactics. We’ll unpack how Scattered Spider and similar groups use social engineering to manipulate help desks into giving them access to corporate networks, as well some tips on what you can do to protect your business.

Who are Scattered Spider?

It’s a good question – Scattered Spider (also known as UNC3944, Octo Tempest, and Muddled Libra) is a difficult group to pin down. Scattered Spider is the name that was given to a group of cybercriminals that between mid-2022 and mid-2024 carried out cyberattacks that had a huge impact and coverage in the press. They’ve recently been linked to ransomware operations, acting mainly as affiliates for “BlackCat” (now defunct), “RansomHub”, or “Qilin”.

It’s been discovered that the group is composed of young US and UK citizens who formed part of  a collective known as “The Comm.” The Comm is an underground community of English-speaking criminals which communicates and coordinates using social media such as Discord or Telegram, and has participated in criminal activity both in the cyber domain and in the physical world. 

Scattered Spider is not the only group that has been operating recently with a high impact that emerged from members of The Comm. “UNC5537” the group responsible for the Snowflake compromise has also been tied to this community. Therefore, it’s possible that new similar groups will keep arising as others are shut down (as threat researchers predicted would play out in 2025).

Five users associated with Scattered Spider (among them the alleged leader) were detained during the first half of 2024. The complete composition of the group was not determined, so it’s not possible to confirm that all the group’s members were detained. After the law enforcement operations broke last time, no further news regarding Scattered Spider came up until this latest spate of attacks. 

Were Scattered Spider responsible for recent attacks on UK retail brands?

Bleeping Computer sources report that the DragonForce ransomware-as-a-service (RaaS) group have claimed responsibility for the recent attacks against UK retail companies. They’re believed to be working with English-speaking threat actors that fit the tactics of Scattered Spider. What we know for certain is the attacks against M&S, Co-Op, and Harrods follow the modus operandi of hackers associated with Scattered Spider. However, the group haven’t come out and claimed responsibility.

Since the attacks, Tyler Buchanan (23 from the UK) has been labelled a ringleader of Scattered Spider in the media and is reportedly on the run. However, it’s hard to pin down the head of the snake when talking about a disparate online crime group.

Timeline of alleged Scattered Spider attacks

• September 11^th–12^th, 2023 – MGM Resorts International: Scattered Spider used phone-based social engineering to bypass multi-factor authentication, gain internal access, deploy ransomware via an ALPHV collaboration, and extort the casino operator. Full story on the MGM Resorts hack here.
• September 13^th, 2023 – Caesars Entertainment: The group accessed driver’s license numbers and potentially Social Security numbers, demanded $30 million in ransom (reportedly settling for $15 million), and claimed responsibility for the breach.
• April 22^nd, 2025 – Marks & Spencer: M&S disclosed a ransomware attack after hackers duped its IT help desk into resetting employee credentials. Scattered Spider allegedly deployed the rented DragonForce malware, forcing suspension of online clothing and home orders.
• May 1^st, 2025 – Harrods: The luxury department store confirmed attempted unauthorized access to its systems. This was one of three high-profile UK retail targets in two weeks, with Scattered Spider suspected of orchestrating the attack.
• May 2^nd, 2025 – Co-op Group: Co-op revealed that limited member data had been accessed after help-desk social engineering—suspected as part of the same campaign that hit M&S—and shut down affected systems to mitigate further damage.

Why do Scattered Spider attack service desks?

Scattered Spider and hackers with a similar modus operandi targets service desks because they’re a high-leverage, low-resistance entry point into corporate networks. Here’s why it works so well:

• Human vulnerability – Help desk staff are primarily trained to help, even if they’ve had some training with regards to social-engineering attacks. This can make them susceptible to impersonation attempts, especially when attackers sound fluent, urgent, and knowledgeable.
• Access to credentials & resets – Service desk agents usually have the ability to reset passwords, provision accounts, or disable multi-factor authentication. This gives attackers direct control over legitimate access routes.
• Bypass of technical defenses – Instead of breaking through firewalls or exploiting unpatched software, social engineering lets attackers walk through the front door using trust and manipulation.
• Speed and stealth – A well-crafted call or chat can yield access in minutes, often without triggering security alerts – especially if attackers mimic internal processes or spoof internal numbers.

In short, it’s the most efficient way for hackers like Scattered Spider to escalate privileges and blend in as an insider, making help desks a soft but critical target.

English-speaking cybercriminals: Why it matters for service desk attacks

Scattered Spider heavily rely on social engineering for gaining initial access or for gaining access to sensitive files that will allow them to continue with the compromise. An accent may seem like a trivial thing in a cyberattack, but it can be the key to lowering the guard of a service desk agent. A turn of phrase might be enough to gain some trust. A native Russian or Chinese speaker may arouse suspicion, especially if they’re not used to speaking English.

Their fluency in English is a critical enabler of their attacks. By speaking the same language (and often using local idioms and accents), they can convincingly impersonate IT staff or contractors in phone-based social-engineering ploys. This helps to avoid raising red flags when emailing or chatting with help desks, and they can tailor their phishing lures to UK cultural touchpoints. In short, perfect (or near-native) English makes their scams far more believable and effective against English-speaking retail support teams.

How does a typical Scattered Spider service desk attack play out?

1. Reconnaissance & setup

• Targets: Identify large companies with decentralized or outsourced IT support (e.g., retailers, casinos, airlines).
• Info gathering: Use LinkedIn, company org charts, or data leaks to learn employee names, roles, and ticketing systems (e.g., ServiceNow).
• Spoofing tools: Set up VoIP services to mimic internal phone numbers; sometimes use SIM-swapped phones or Slack/email spoofing.

2. Impersonation & social engineering

• Approach: Call or chat the service desk pretending to be a real employee or contractor needing urgent help.
• Common pretexts:
  • “I’m locked out of my account before a critical meeting.”
  • “My phone was lost—I need my MFA reset to access payroll/email.”
  • “We’re having an incident and I need admin credentials to help resolve it.”
• Tone & language:
  • Friendly, rushed, or slightly stressed to pressure the support agent.
  • Use internal slang or references (“Can you just go into Okta and push through a reset like you did last week for Mike in Ops?”).
  • Mention topical local events (even comment on the weather!) to build rapport and ease suspicion of the caller being a hacker.

3. Credential reset & MFA bypass

• Goal: Trick the help desk into:
  • Resetting the password on a real user’s account.
  • Removing or re-registering multi-factor authentication (MFA).
  • Creating a new account with privileged access.
• Tactics:
  • Spoof caller ID or use breached HR info to pass verification.
  • If blocked, call again as someone else—or escalate (“Can I speak to your manager?”).
  • Use SIM-swapped phones to intercept MFA codes or request they be sent to a new device.

4. Access & lateral movement

• Log in as the impersonated employee.
• Elevate privileges via group policy misconfigs, ticketing systems, or internal tools (e.g., Okta, Citrix, Azure AD).
• Deploy malware, exfiltrate data, or set up persistence (backdoors, rogue accounts).

5. Ransomware or data theft

• Depending on the target:
  • Deploy ransomware via an affiliate like DragonForce (e.g., in the M&S attack).
  • Exfiltrate sensitive data for extortion (as in the Caesars/MGM attacks).
  • Maintain stealth for further campaigns (especially if targeting multiple orgs in the same sector).

Ways to defend against service desk attacks

Here are some key ways organizations can protect themselves against service desk-based social engineering attacks like those used by Scattered Spider:

1. Require strict identity verification for all password resets, including out-of-band confirmation (e.g. a known second contact method).
2. Enforce MFA that cannot be easily reset or transferred without in-person verification or manager approval.
3. Train service desk staff to recognize social-engineering tactics, especially urgent or emotional requests and spoofed internal numbers.
4. Monitor for unusual service desk activity, such as repeated password resets or MFA removals for high-privilege accounts.
5. Limit help desk privileges so agents cannot reset access for admin or IT users without escalation.
6. Use role-based access control and log all credential changes, with alerts for high-risk users.
7. Conduct regular phishing and social engineering simulations focused specifically on phone and chat-based attacks.

Protect against social engineering with Specops Secure Service Desk

Specops Secure Service Desk can help mitigate social engineering attacks by adding identity verification steps to all password reset and account unlock requests. By requiring callers to verify their identity using MFA, directory attributes, or custom challenge questions, the product ensures that only legitimate users can access support – even if an attacker knows their name, role, or internal lingo. It also provides audit trails and granular control over who can reset what, reducing the chance of privilege misuse or impersonation.

Protect your front line—see how Specops Secure Service Desk can harden your help desk against attacks like Scattered Spider’s. Try for free today.