Scattered Spider exploited UK retailer service desks

Specops Software has published an analysis detailing the tactics of Scattered Spider, a cybercriminal collective, in targeting service desks through social engineering attacks against major organisations such as Marks & Spencer, Harrods, and the Co-op Group.

The analysis outlines how Scattered Spider, sometimes referred to as UNC3944, Octo Tempest, and Muddled Libra, has risen to prominence by using sophisticated manipulation techniques to exploit employees at IT service desks. Recent incidents reportedly involved the group duping a Marks & Spencer IT help desk into resetting credentials, allowing unauthorised access to internal systems.

Scattered Spider is comprised primarily of young UK and US nationals who communicate via social platforms including Discord and Telegram. The collective is believed to have operated under the broader community known as "The Comm," collaborating on both cyber and physical criminal activities. The group has historical ties to ransomware operations, acting as affiliates for entities like BlackCat, RansomHub, and Qilin.

Law enforcement detained five individuals associated with Scattered Spider, including an alleged leader, in early 2024. However, analysts note that the group's complete structure is unclear, stating: "The complete composition of the group was not determined, so it's not possible to confirm that all the group's members were detained. After the law enforcement operations broke last time, no further news regarding Scattered Spider came up until this latest spate of attacks."

The UK National Cybersecurity Centre has warned organisations to be cautious of phoney IT helpdesk calls, following a series of attacks attributed to the group or their affiliates. While groups like DragonForce ransomware-as-a-service have claimed responsibility for some incidents, tactics used in attacks on Marks & Spencer, Co-op, and Harrods strongly align with the approach attributed to Scattered Spider, despite the group not publicly claiming responsibility.

Media reports have identified Tyler Buchanan, 23, from the UK, as a potential ringleader who is reportedly evading authorities. The group's distributed nature, combined with its reliance on English fluency and local knowledge, complicates attribution. "It's hard to pin down the head of the snake when talking about a disparate online crime group," the analysis notes.

Recent attacks attributed to the group began with an attack on MGM Resorts International in September 2023. Attackers used social engineering, including phone calls, to bypass multi-factor authentication and deploy ransomware in cooperation with the ALPHV group. Shortly thereafter, Caesars Entertainment was compromised using similar methods, resulting in a reported USD $30 million ransom demand. Subsequent attacks targeted Marks & Spencer, Harrods, and Co-op Group in April and May 2025, with attackers using service desk manipulation to access member data and disrupt operations.

"Scattered Spider and hackers with a similar modus operandi targets service desks because they're a high-leverage, low-resistance entry point into corporate networks," the analysis noted, exploring why service desks remain vulnerable.

Despite receiving training, help desk staff can be susceptible to urgent requests, especially when attackers demonstrate language proficiency and cultural awareness.

A crucial factor in Scattered Spider's success is the attackers' command of English.

"Their fluency in English is a critical enabler of their attacks. By speaking the same language (and often using local idioms and accents), they can convincingly impersonate IT staff or contractors in phone-based social-engineering ploys," according to the report. This ability allows the attackers to build trust quickly during calls or chats and evade suspicion when contacting help desk teams.

The typical attack sequence involves preliminary reconnaissance via social media and company resources to gather staff details, followed by impersonation of legitimate employees or contractors during urgent calls to service desks. Attackers use spoofed phone numbers and credible pretexts to pressure staff into resetting passwords or removing multi-factor authentication protections. They then use these credentials to escalate privileges, deploy malware, or steal data.

The report identifies several strategies that organisations can use to protect against similar attacks. Recommended actions include requiring strict identity verification, including out-of-band confirmation for resets; enforcing strict multi-factor authentication processes; providing targeted training for service desk staff; closely monitoring for unusual account activity; limiting help desk privileges; implementing role-based access controls; and conducting regular social engineering simulations.

"Here are some key ways organizations can protect themselves against service desk-based social engineering attacks like those used by Scattered Spider: Require strict identity verification for all password resets, including out-of-band confirmation (e.g. a known second contact method). Enforce MFA that cannot be easily reset or transferred without in-person verification or manager approval. Train service desk staff to recognize social-engineering tactics, especially urgent or emotional requests and spoofed internal numbers. Monitor for unusual service desk activity, such as repeated password resets or MFA removals for high-privilege accounts. Limit help desk privileges so agents cannot reset access for admin or IT users without escalation. Use role-based access control and log all credential changes, with alerts for high-risk users. Conduct regular phishing and social engineering simulations focused specifically on phone and chat-based attacks."

The report highlights the ongoing risks organisations face from service desk-related social engineering and outlines practical measures to enhance corporate defences against such threats.