The Scattered Spider Field Manual: How They Pick Targets, Build Profiles, and Make the Call

This is not a profile of a hacking group in the traditional sense. Scattered Spider does not rely on zero-day exploits, custom malware, or advanced technical intrusion methods for initial access. Their primary weapon is the telephone. Their primary target is the help desk agent. Their primary technique is sounding like someone who belongs.

What follows is a tactical breakdown of how the group operates, drawn from the CISA joint advisory AA23-320A (updated July 2025), CrowdStrike Q2 2025 incident response observations, ReliaQuest domain infrastructure analysis, Mandiant threat intelligence, and public reporting on the M&S, MGM, Caesars, Co-op, and Harrods breaches. The group is also tracked under the designations UNC3944, Octo Tempest, Storm-0875, Muddled Libra, and Scatter Swine.

For each phase of their operation, we identify what would have disrupted it. One answer recurs.

Group Profile

Scattered Spider is a loosely organized collective, not a centralized criminal organization. Its members are predominantly young, native English speakers distributed across the US, UK, and other Western countries. The group is part of a broader cybercriminal community known as The Com, which encompasses a range of criminal activities beyond ransomware, including SIM swapping and social engineering for hire.

The group’s distinguishing characteristic is linguistic and cultural fluency. Unlike Eastern European ransomware operators who rely on phishing kits and malware delivery, Scattered Spider’s operatives can navigate Western corporate communication norms without detection. They understand ITSM ticketing workflows, corporate jargon, escalation paths, and the social dynamics of a help desk call. On the phone, they do not sound like outsiders. They sound like slightly stressed employees, which is exactly what help desk agents hear dozens of times a day.

Scattered Spider has operated as both a standalone threat actor and as an affiliate or access broker for ransomware-as-a-service operations, including ALPHV/BlackCat and, more recently, DragonForce. Five members were detained during the first half of 2024. Four additional suspects were arrested in July 2025 in connection with the M&S and Co-op attacks. Neither wave of arrests has noticeably slowed the group’s operational tempo.

Recruitment on cybercriminal forums specifically targets individuals with minimal accents, corporate communication skills, and comfort with phone-based impersonation. ReliaQuest observed forum postings from Russian-aligned groups explicitly seeking English-speaking social engineers matching these criteria.

Phase 1: Target Selection

Scattered Spider selects targets based on a combination of payout potential, attack surface accessibility, and operational conditions. CrowdStrike’s Q2 2025 reporting documents a clear pattern of sector rotation: US and UK retail through April and May, US insurance companies in June, and US airlines by late June. Google’s Threat Intelligence Group (GTIG) confirmed the insurance pivot. Mandiant noted the group’s habit of focusing on one sector at a time while keeping core TTPs consistent.

Within each sector, the group prioritizes organizations with outsourced IT service desks. Third-party help desk providers are high-value targets because they offer one-to-many access: a single compromised vendor credential can open doors to multiple client organizations. The M&S breach began with a call to TCS, its outsourced IT service desk provider. Co-op was similarly targeted through its support infrastructure.

Organizations with large, publicly visible executive teams are preferred. The more information available about an organization’s leadership, reporting structure, and internal processes, the easier it is to construct a convincing impersonation pretext.

DISRUPTION INDICATOR: Organizations that verify caller identity through out-of-band, device-bound methods are structurally harder to target regardless of how much public information is available about their employees.

Phase 2: Reconnaissance and Profile Building

Before any call is placed, Scattered Spider operatives build a detailed impersonation profile using publicly available sources. The research phase is fast. Security researchers estimate that a skilled social engineer can assemble a usable impersonation profile from public sources in under 15 minutes.

Primary OSINT sources include LinkedIn (reporting structure, tenure, job titles, direct reports, recent activity), corporate websites (email address format, leadership bios, press releases), SEC filings and investor relations pages (executive names, board composition, organizational structure), conference and event materials (badge photos, speaker bios, recorded presentations), data broker aggregation sites (personal details, family members, address history), and social media accounts (travel patterns, current location, personal details that support pretexting).

The group also conducts targeted reconnaissance through out-of-office reply harvesting. By sending emails to employees across the target organization, they can identify individuals who are genuinely traveling or unavailable. These employees become ideal impersonation targets: the real person cannot be easily reached to verify an unexpected credential reset, and the “traveling executive” pretext writes itself.

Brightside AI research from 2025 found that over 95% of executive profiles on data broker sites contain information about family members and colleagues. This is not edge-case exposure. It is the baseline condition for any named executive at a public-facing organization.

DISRUPTION INDICATOR: None of this reconnaissance is detectable by the target organization. It happens entirely outside the network perimeter. The only defense that matters is ensuring the verification process does not rely on information the attacker can find during this phase.

Phase 3: Timing Selection

Scattered Spider consistently times social engineering calls to exploit predictable operational patterns.

Preferred windows include late Friday afternoons, when agent alertness declines and weekend staffing transitions begin. Holiday eves and long weekends are targeted because escalation paths are slower, coverage is thinner, and organizational attention is divided. End-of-shift periods are exploited because agents are focused on closing tickets. After-hours windows are targeted when reduced staffing means fewer agents, less peer oversight, and a higher psychological incentive to resolve requests quickly.

The M&S breach was activated over Easter weekend 2025. The MGM breach unfolded over a weekend in September 2023. The timing is not coincidental. It is a deliberate operational choice, repeated across incidents because it works.

CrowdStrike noted that Scattered Spider operatives also coordinate timing with known organizational events: board meetings, earnings calls, or conferences where executives are publicly known to be traveling. These events provide both pretexting material (explaining why the “executive” is calling from an unfamiliar number) and operational cover (real executives are less reachable for verification callbacks).

DISRUPTION INDICATOR: Device-bound identity verification does not degrade based on time of day, staffing levels, or agent fatigue. The verification standard is constant regardless of when the call is placed.

Phase 4: The Call

The social engineering call is the core of the operation. CrowdStrike’s 2025 reporting confirmed that Scattered Spider used help desk voice-based social engineering in almost all observed incidents during Q2 2025.

The caller impersonates a legitimate employee, typically targeting accounts with elevated privileges or accounts that provide a path to privilege escalation. The impersonation is constructed to sound routine: an employee locked out of their account, needing a password reset or MFA token reconfiguration. The pretext is plausible and specific, grounded in real organizational details gathered during the reconnaissance phase.

The caller answers verification questions correctly. CrowdStrike specifically noted that Scattered Spider operators “routinely accurately respond to help desk verification questions when impersonating legitimate employees.” The answers are not guesses. They are accurate, sourced from public information, and delivered with the cadence of someone who expects the questions and is mildly impatient about answering them.

The caller manages urgency carefully. They do not sound panicked or aggressive. They sound like a busy professional who needs something handled quickly. This is deliberate. Aggressive or desperate callers trigger skepticism. Calm, slightly rushed callers blend into the normal flow of help desk interactions.

If voice cloning is deployed, the caller sounds like the specific employee they are impersonating. The Pindrop 2025 report documented a 680% year-over-year increase in deepfake voice activity. Modern tools can generate a usable clone from a few seconds of publicly available audio. Scattered Spider has demonstrated awareness of this capability, and many of its impersonation targets have extensive public audio available through conference presentations, podcast appearances, and earnings calls.

DISRUPTION INDICATOR: The call is the attack surface. Out-of-band identity verification removes the decision from the call entirely. The agent does not need to determine whether the caller sounds right or knows the right answers. The system verifies identity through the employee’s device, independent of anything that happens on the phone.

Phase 5: MFA Bypass and Credential Access

Once the help desk grants a password reset, Scattered Spider moves immediately to neutralize MFA protections. CISA documents several methods the group employs.

The most common is direct MFA reset or removal through the help desk call itself. The attacker requests that MFA be reconfigured or temporarily disabled as part of the credential recovery process. If the help desk agent has the technical capability to do this, and many do, the request is granted alongside the password reset.

When direct MFA removal is not available, the group uses push bombing (also called MFA fatigue): flooding the target’s enrolled device with authentication prompts until the real user accepts one out of frustration or confusion. SIM swapping is employed to redirect SMS-based MFA codes to attacker-controlled devices. The group also deploys real-time phishing kits using frameworks like Evilginx, which intercept MFA tokens during the authentication process through adversary-in-the-middle positioning.

After gaining access, the group registers their own MFA tokens on the compromised account, establishing persistent access that survives password changes. CISA documented cases where Scattered Spider added a federated identity provider to the target’s SSO tenant with automatic account linking enabled, allowing the attackers to authenticate as any user by controlling the identity provider.

DISRUPTION INDICATOR: Device-bound identity verification using government-issued ID, with SIM swap detection and anti-replay protections, prevents the attacker from completing the identity challenge even if they have obtained the password. The verification requires the physical device in the legitimate employee’s possession.

Phase 6: Post-Access Operations

Scattered Spider operates with significant speed post-compromise. ExtraHop research emphasized that once initial access is gained, the group can move laterally, escalate privileges, exfiltrate data, and deploy ransomware within hours.

The group deploys legitimate remote monitoring and management (RMM) tools, including TeamViewer and AnyDesk, to maintain persistent access. Because these are legitimate IT tools, they are less likely to trigger endpoint detection alerts than traditional malware.

Active Directory is a primary target. In the M&S breach, the attackers exfiltrated the NTDS.dit file, containing password hashes for every domain user. Offline cracking of these hashes yielded cleartext credentials for a range of accounts, enabling broad lateral movement that appeared, to the network, as normal authenticated activity.

The group targets VMware vCenter and ESXi infrastructure for ransomware deployment, encrypting virtualized server environments that host critical business applications. Data exfiltration precedes encryption, establishing the double-extortion position: pay to decrypt, and pay again to prevent data release.

Ransomware deployment has been executed through both ALPHV/BlackCat and DragonForce variants, with Scattered Spider acting as an affiliate or access broker within the ransomware-as-a-service ecosystem.

CrowdStrike’s 2025 reporting also documented the group’s pivot from compromised Entra ID, SSO, and VDI accounts into integrated SaaS applications. Once inside the identity layer, they move laterally through cloud resources without needing to touch on-premises infrastructure. This makes traditional network-based detection less effective. The attackers are authenticating through legitimate identity providers, using valid credentials, and accessing resources that the compromised accounts are authorized to reach.

Operational Cadence and Arrest Resilience

Scattered Spider rotates sectors with a disciplined operational cadence. CrowdStrike and Mandiant both noted that the group tends to focus on a single industry vertical at a time, saturating it with attacks before pivoting to the next. The documented rotation through 2025: UK retail (April-May), US insurance (June), US aviation and airlines (late June onward). Each pivot applies the same core methodology to a new target set.

The group’s decentralized structure makes it resistant to disruption through arrests. Five members were detained in 2024. Four more were arrested in July 2025. Neither event produced a measurable reduction in operational activity. Splunk’s analysis characterized the group as having “a startup mentality”: loosely coordinated, fast-moving, and capable of replacing detained members through recruitment on cybercriminal forums.

Russian-aligned threat groups have also begun partnering with English-speaking social engineers who match Scattered Spider’s profile. ReliaQuest observed explicit forum postings seeking recruits with “minimal accent” and comfort with phone-based impersonation. The implication is that even if Scattered Spider as a named entity were dismantled, the TTP playbook would persist. The methodology is documented, the tools are available, and the attack surface, help desks using knowledge-based verification, remains open.

This is not a group problem. It is a method problem. The method works because the verification architecture it targets has not changed.

Phase 7: Third-Party and Supply Chain Targeting

A distinguishing feature of Scattered Spider’s recent operations is the deliberate targeting of managed service providers (MSPs), IT contractors, and outsourced help desk providers. ReliaQuest’s June 2025 analysis emphasized that this targeting exploits the one-to-many access model: compromising a single IT vendor can provide access to that vendor’s entire client base.

The M&S attack entered through TCS, M&S’s outsourced IT service desk provider. The help desk agent who processed the reset was a TCS employee, not an M&S employee. This creates a specific verification challenge: the agent is verifying the identity of someone at a client organization, working from a protocol provided by that client, potentially with less organizational context than an in-house agent would have.

M&S terminated its TCS service desk contract in July 2025 after a decade-long partnership. The trend toward outsourced IT support functions means that the verification challenge Scattered Spider exploits is present across thousands of organizations that rely on third-party help desks.

DISRUPTION INDICATOR: Out-of-band identity verification is provider-agnostic. Whether the help desk is internal, outsourced, or offshore, the verification challenge is sent to the employee’s enrolled device. The agent’s organizational proximity to the caller is irrelevant because the system, not the agent, makes the identity determination.

Defensive Summary: What Stops Each Phase

Mapped against Scattered Spider’s operational phases, the defensive picture resolves into a clear pattern.

Target selection cannot be prevented. Organizations cannot control whether they appear on a threat actor’s target list. But they can control whether the attack surface the group exploits, the help desk verification process, is resistant to social engineering.

Reconnaissance cannot be prevented. The OSINT sources Scattered Spider uses are publicly available and indexed. Organizations can reduce unnecessary exposure (removing employee IDs from press materials, restricting LinkedIn detail), but they cannot eliminate the volume of public information that makes KBA vulnerable.

Timing selection cannot be prevented. Attackers will always call during the windows where human verification is weakest.

The call itself is where intervention is possible, and it is where the current model fails. Knowledge-based verification asks questions with publicly available answers. The caller answers them. The protocol is satisfied. The agent has no reliable basis for distinguishing a legitimate caller from a prepared impersonator.

MFA bypass exploits the fact that initial access was granted through the compromised help desk interaction. If that interaction had required device-bound identity verification, the attacker would never have obtained the credential needed to trigger MFA bypass techniques.

Post-access operations, lateral movement, ransomware deployment, and data exfiltration are all downstream consequences of initial access. They are real threats that require their own defensive controls (network segmentation, privileged access management, endpoint detection). But they all begin with the help desk call.

The pattern across all phases points to one architectural intervention: moving identity verification out of the phone call and onto the employee’s physical device. Identity Impersonation Detection, implemented through government-issued ID verification with SIM swap detection and anti-replay protections, addresses the vulnerability that Scattered Spider exploits in every documented incident. The agent is removed from the identity decision. The attacker’s preparation, timing, linguistic fluency, and OSINT research become irrelevant. The verification depends on something the attacker does not have: the right device, in the right person’s hand, at the moment of the request.

Scattered Spider has attacked across retail, hospitality, insurance, aviation, and technology. They have targeted both in-house and outsourced help desks. They have operated in the US, the UK, and across multiple other Western markets. The one constant across every incident is the verification method they exploit.

They will keep calling. The question is whether the verification system that answers will still be asking questions with public answers.

Sources

CISA/FBI/RCMP/ASD Joint Advisory AA23-320A: Scattered Spider (updated July 29, 2025) · CrowdStrike: SCATTERED SPIDER Escalates Attacks Across Industries, Q2 2025 · ReliaQuest: Scattered Spider Cyber Attacks Using Phishing and Social Engineering 2025 · Google Threat Intelligence Group / Mandiant: Scattered Spider Sector Targeting Analysis · Pindrop 2025 Voice Intelligence & Security Report · Brightside AI Executive Digital Footprint Research (2025) · ExtraHop: Scattered Spider’s Relentless Campaign (2026) · BleepingComputer M&S / Co-op / Harrods Breach Reporting · UK National Crime Agency Statements (May-July 2025) · Halcyon Scattered Spider Targeting Analysis