Scattered Spider Hacks IT Desks, Bypasses MFA Systems

A cybercriminal group known as SCATTERED SPIDER is intensifying attacks on IT support teams to bypass multi-factor authentication (MFA), according to researchers at SOSIntelligence. Active since at least 2022, the group employs native English speakers to impersonate employees and exploit help desk personnel through voice phishing and MFA reset requests.

SCATTERED SPIDER operates primarily as an Initial Access Broker, partnering with the DragonForce ransomware-as-a-service outfit, and is linked to the 2023 MGM Resorts breach. Its tactics include SIM-swapping and MFA fatigue attacks, allowing rapid lateral movement using legitimate tools like PowerShell and PsExec.

The group’s focus on identity infrastructure such as Okta, Active Directory, and Azure AD enables deep system compromise. Targets span critical sectors in the U.S. and U.K., including hospitality, telecom, finance and retail. Analysts say the group’s operations highlight a growing shift toward professionalized cybercrime, where human deception is used to circumvent technical defenses.