Microsoft has released new intelligence highlighting the rapidly evolving tactics of Scattered Spider, the cybercriminal group also known as Octo Tempest, UNC3944, and 0ktapus. Active since at least 2022, the group has intensified its operations, recently expanding its targeting and introducing new tactics to breach cloud environments.
Evolving Attack Methodology
Recent findings reveal a marked shift in Scattered Spider’s approach. Historically focused on compromising cloud identities as a way to access on-premises systems, the group now increasingly targets both cloud and on-premises infrastructure from the outset. Between April and July 2025, organizations in the airline, retail, hospitality, food service, and insurance sectors have been particularly impacted.
Central to Scattered Spider’s success is its effective use of social engineering. Attackers routinely impersonate employees, contacting help desks by phone, email, or SMS to manipulate staff into resetting credentials. These methods are often augmented with sophisticated SMS phishing (smishing) campaigns. The group leverages “adversary-in-the-middle” (AiTM) domains that convincingly mimic legitimate portals to harvest credentials and bypass multi-factor authentication (MFA) protections. In addition, they frequently rotate phishing domains to evade detection and bypass enterprise security controls.
Advanced Cloud Infiltration Techniques
Once inside, Scattered Spider deploys a range of open-source and legitimate administrative tools—including ngrok, Chisel, and AADInternals—to establish long-term cloud access, conduct reconnaissance, and move laterally within victim environments. The group is also exploiting misconfigured cloud permissions and abusing identity and access management (IAM) tokens, sometimes leveraging federated identity providers to maintain persistence even after initial credentials are revoked.
Ransomware and Data Extortion
A significant development in their repertoire is the deployment of ransomware, notably DragonForce, with an emphasis on targeting virtualized environments such as VMware ESX hypervisors. This is typically paired with large-scale data exfiltration as part of double-extortion tactics, pressuring victims to meet ransom demands.
Microsoft’s Recommendations and Evolving Defenses
In response, Microsoft is rapidly updating its Defender and Sentinel security products to better detect and disrupt Scattered Spider’s evolving playbook. Microsoft recommends that organizations:
- Harden access and identity management policies
- Monitor for unusual or suspicious administrative activity
- Restrict and closely manage cloud privileges
