Scattered Spider Called Your Help Desk. Your Employee Let Them In.

#They didn't hack MGM. They called the help desk.

In 2023, a group of hackers took down MGM Resorts International. Slot machines went dark. Hotel room keys stopped working. Guests couldn't check in. The company lost over $100 million.

The attack didn't start with a zero-day exploit. It didn't start with malware. It started with a phone call.

A member of Scattered Spider called MGM's IT help desk, pretended to be an employee, and talked the help desk agent into resetting their credentials. That was the way in. One conversation. One reset. $100 million in damage.

Caesars Entertainment got hit too. They paid a $15 million ransom to make it stop.

These attackers didn't break through a firewall. They asked a human being to hold the door open.

#Who is Scattered Spider?

Scattered Spider — also tracked as UNC3944, Octo Tempest, and Muddled Libra — is a financially motivated cybercriminal collective. They've been active since roughly 2022 and they are not what most people picture when they hear "hacker."

They're young. Many are based in the US, UK, and Canada. They speak fluent English. They sound like your coworker. They sound like your IT vendor's support tech. They sound like someone who belongs on the line.

That's the whole point.

Scattered Spider specializes in social engineering against corporate identity infrastructure. In plain English: they manipulate people who control access to your systems. Help desk agents. IT admins. Anyone who can reset a password or re-enroll an MFA device.

They've partnered with ransomware-as-a-service operations like ALPHV/BlackCat and, after law enforcement disrupted that group, moved to RansomHub and DragonForce. In 2025, they expanded into UK retail, insurance, and aviation. The FBI has issued formal warnings about their activity. Multiple members have been criminally charged.

This is not a hypothetical group. They are active right now.

#Their playbook is built on your trust.

Here's what Scattered Spider actually does, step by step:

Help desk vishing. They call your IT support line pretending to be an employee. They know the employee's name, department, maybe their manager's name — all pulled from LinkedIn, company websites, or previous data breaches. They tell the help desk agent they're locked out and need a credential reset or MFA re-enrollment. If your help desk verifies identity by asking security questions or checking caller ID, that's not enough. They already have those answers.

SIM swapping. They convince your mobile carrier to transfer an employee's phone number to a SIM card they control. Now they receive all SMS-based MFA codes sent to that number. Your two-factor authentication just became their two-factor authentication.

MFA fatigue / push bombing. They trigger MFA push notifications to an employee's phone repeatedly — 20, 30, 40 times — until the employee approves one just to make it stop. It works more often than you want to believe.

Adversary-in-the-middle phishing. They send a phishing email with a link to a page that looks exactly like your Okta or Microsoft 365 login. The employee enters their credentials and completes the MFA challenge. The phishing kit captures the session token in real time and uses it to log in as that employee. This bypasses standard MFA completely. I wrote about this exact technique in 5 Social Engineering Attacks Hitting Chicago Businesses Right Now.

Living off the land. Once inside, they don't install obvious malware. They use tools your organization already has — legitimate remote management software, cloud CLIs, admin consoles. This makes them invisible to most endpoint detection tools because the tools they're using are the same ones your IT team uses every day.

The end result: they get access to your identity provider — Okta, Microsoft Entra ID, Google Workspace — and from there, they own everything connected to it. Email. File storage. Financial systems. Customer data. Everything.

#"We're not MGM. Why would they target us?"

Because you're easier.

MGM had a security team. They had monitoring. They had incident response plans. And Scattered Spider still got in with a phone call.

Your 30-person company? Your outsourced IT provider? Your help desk that verifies identity by asking "what's your employee ID?"

You're a softer target with less detection capability. The techniques Scattered Spider uses against Fortune 500 companies work even better against small and mid-sized businesses because there are fewer controls in the way.

And it's not just Scattered Spider. Their tactics are documented, published, and copied by every criminal group paying attention. The CISA advisory on Scattered Spider is public. Any attacker can read the playbook and run it against your business tomorrow.

As I wrote in Your Team Is the Target. Not Your Firewall. — the attack surface isn't your network perimeter. It's your people. Every employee who can answer a phone, open an email, or approve an MFA prompt is a potential entry point.

#What to do about it.

This is not a technology problem. It's an operational problem. Here's how you fix it:

1. Harden your help desk verification process.

Stop verifying callers by security questions, employee IDs, or caller ID. All of that information is available to an attacker. Instead, implement a callback procedure: the help desk hangs up and calls the employee back at a pre-registered number. Or require manager confirmation before any credential reset. Or use a verification code established in person. Make it policy. Write it down. Enforce it every time, no exceptions.

2. Deploy phishing-resistant MFA.

SMS codes are compromised by SIM swapping. Push notifications are compromised by fatigue attacks. Authenticator app codes are compromised by adversary-in-the-middle phishing kits. The only MFA that resists all of these is FIDO2 hardware security keys — physical devices like YubiKeys that cryptographically verify the domain you're logging into. If the domain is fake, the key won't authenticate. It's that simple. Start with your admins and finance team, then roll it out to everyone.

3. Lock down your identity provider.

Audit who has admin roles in your Okta, Entra ID, or Google Workspace. Remove unnecessary privileges. Set up alerts for anomalous logins — new device, new location, impossible travel. Restrict OAuth grants so third-party apps can't silently access your data. Monitor for bulk permission changes. Your identity provider is the single most important system in your environment. Treat it like it.

4. Train your people on vishing specifically.

Most security awareness training covers phishing emails. Almost none of it covers phone-based social engineering. Your help desk agents, your receptionists, your office managers — they need to practice saying "I need to verify this and call you back" in realistic scenarios until it's automatic. We run these exact scenarios in our training because this is how the actual attacks work.

5. Monitor for remote management tool abuse.

If nobody on your team installed AnyDesk or Splashtop or ScreenConnect, there shouldn't be any running on your network. Alert on unexpected remote management tools. Alert on unusual cloud CLI activity. Scattered Spider lives off the land because it works — your detection has to be tuned to catch legitimate tools being used by illegitimate people.

#The uncomfortable truth.

Scattered Spider didn't invent anything new. They just proved, at massive scale, that the oldest trick in the book still works: ask someone nicely and they'll let you in.

Your credentials. Your MFA. Your access to everything in your organization. It's all one convincing phone call away from being someone else's.

The fix isn't another appliance or another software subscription. The fix is making sure the human being who picks up the phone knows what to do when someone on the other end is lying to them.

If your team hasn't practiced that, you're running the same play that cost MGM $100 million. Just with less money to lose and less ability to recover.

#Further reading

• CISA Advisory AA23-320A: Scattered Spider - official US government advisory on the group's tactics
• MITRE ATT&CK G1015: Scattered Spider - detailed technical breakdown of their techniques
• FIDO2 Hardware Keys - the only MFA that stops SIM swapping, push bombing, and AitM phishing
• YubiKey - hardware security keys starting at $25