Overview

The Cybersecurity & Infrastructure Security Agency (CISA), America’s cyber defense agency, recently published an urgent cybersecurity advisory detailing tactics, techniques, and procedures (TTPs) uncovered through FBI investigations into attacks attributed to Scattered Spider and affiliated cybercriminal groups. These groups target large corporations and their IT help desks.

The advisory was jointly developed with international agencies including the USA (FBI & CISA), Canada (RCMP & CCCS), Australia (ASD, ACSC & AFP), and the United Kingdom (NCSC-UK), underscoring the global nature of this threat.

The top-level actions recommended for organizations are:

• Maintain offline backups of data, stored separately from source systems and tested regularly.
• Enable and enforce phishing-resistant multifactor authentication (MFA).
• Implement application controls to manage and control software execution.

While items 1 and 3 are standard cybersecurity best practices, ensuring that MFA is phishing-resistant requires a more deliberate approach.

How Scattered Spider defeats MFA

Scattered Spider cybercriminals use a variety of techniques to bypass MFA. Organizations must be prepared to defend against each vector. Common tactics include:

• SIM swap attacks: Criminals take control of an employee’s phone number to receive one-time passcodes (OTPs) and other sensitive communications.
• Impersonating IT help desk staff: Via phone or SMS, attackers use social engineering to convince employees to share credentials, run remote access tools, or disclose OTPs.
• Impersonating employees: Attackers persuade IT help desk agents to reset passwords or transfer MFA access to a device under the attacker’s control.

After the initial compromise of credentials or MFA, Scattered Spider uses legitimate tools and malware to infiltrate the organization’s IT network and proceed with data theft or encryption as part of their extortion strategy.

Stopping this initial stage is critical. Organizations must empower both employees and IT help desk agents to mutually authenticate each other before taking any action.

Stopping Scattered Spider Attacks with Trusona ATO Protect

Trusona’s ATO (Account Takeover) Protect suite offers two powerful tools designed to stop the first stage of a Scattered Spider attack. Together, they provide 360-degree protection for your organization’s front line.

• Agent Verify – protects employees from fake IT help desk calls
• ATO Protect – protects IT help desk agents from fraudulent employee MFA/password reset requests

Agent Verify

Agent Verify provides a simple and secure way for employees to verify that a caller claiming to be from the IT help desk is legitimate.

When receiving a call, the employee is trained to ask for the agent’s Verify Code, which is unique to both the agent and the call. The employee then enters the code on a dedicated internal company page, where the agent’s identity is confirmed.

Verify Codes are:

• Single-use and time-limited
• Impossible to spoof or intercept via man-in-the-middle attacks
• Only shared by agents during outbound calls they initiate

If the agent is verified, the employee can proceed with confidence. If the agent cannot provide a verifiable code, the employee is instructed to end the call and report the incident.

ATO Protect

For inbound calls to the IT help desk, agents generate a Trusonafy Link on the corporate domain, which is sent to the caller via SMS (using the number on file), corporate email, or a secure messaging platform.

When using SMS, the recipient’s phone number is checked with the carrier to confirm it hasn’t been recently SIM-swapped and closing a major attack vector.

The employee opens the link on their phone and is guided to scan a valid government-issued ID (e.g., driver’s license, passport, national ID card). During this process:

• Network and device intelligence is collected, flagging suspicious behaviors such as switching devices mid-process
• Geolocation data is captured and mapped
• Document data is extracted and verified against trusted third-party sources (e.g., US DMV, LexisNexis international bureaus)
• A carrier data match is performed to confirm the phone record
• The employee may also share GPS location, which can be compared with IP and document address data to identify VPN usage or mismatches

All this intelligence is compiled into an actionable risk score and recommendation, empowering the agent to make an informed decision on how to proceed.

Deployment options:

• Standalone web portal for immediate use
• API integration with ITSM platforms to automate link delivery and risk assessment workflows

Conclusion

Scattered Spider attacks begin with social engineering aimed at employees and IT help desk agents. It’s crucial to give both parties tools to verify each other’s identity before taking action and stopping the attack before it escalates.

Trusona’s Agent Verify and ATO Protect tools are proven to stop social engineering in its tracks. They are already used across multiple industries, including education, finance, and healthcare.