Ontinue Threat Advisory: ScatteredLAPSUS$ / Scattered Spider Tactics
The Threat
A new wave of attacks from groups like ScatteredLAPSUS$ and Scattered Spider is putting identity process at the center of the threat landscape.
These actors don’t rely on advanced malware or zero-day exploits. Instead, they exploit people and processes — targeting service desks and identity workflows to:
- Obtain credentials
- Bypass MFA
- Escalate into privileged accounts
This approach has already caused disruption in multiple sectors, including devastating high-profile retail attacks in the UK.
- Marks & Spencer (April 2025): Online orders, click-and-collect, and in-store payments were disrupted. Customer contact details and order histories were exposed, though payment cards and passwords were not. The incident caused both operational and financial disruption.
- Harrods (late April/early May 2025): Detected and contained an attempted intrusion by restricting internal systems and temporarily disabling internet connectivity in stores. The methods used closely resemble other ScatteredLAPSUS$/Spider campaigns.
Why This Matters
These incidents demonstrate that identity and support workflows are prime attack surfaces.
- Service desk teams are being directly targeted with phone calls and impersonation tactics.
- Attackers often pose as high-value targets — executives, admins, or security staff — to convince helpdesks to reset credentials or add new MFA factors.
- Even without direct theft of payment card data, the business impact has been severe: customer data exposure, outages to payment and fulfilment, and reputational damage.
Ontinue Recommendations
We advise all clients to act immediately in three areas:
1. Protect High-Value Targets
- Maintain a “Do Not Touch” list for executives, IT admins, and security staff
- Enforce escalation-only reset policies for these accounts — no changes handled at L1
2. Harden Verification Processes
- Retire weak, knowledge-based checks (EmployeeID, Location, DOBs).
- Require out-of-band verification such as:
- Callback using a company directory numberToken sent to corporate email
- Slack/Teams confirmation message
3. Build a Verification Culture within your IR Strategy
- Train staff to independently verify inbound IT calls before taking any action
- Standardize workflows that make verification simple and repeatable
- Develop and test a formal disruption playbook for Scattered Spider–style intrusions (e.g., rapid suspension of compromised accounts, tightening of reset policies, and out-of-band alerts to security leadership)
- Conduct regular tabletop exercises to validate that service desk and security teams can quickly detect, disrupt, and recover from social-engineering–driven compromises
The Bottom Line
If attackers can talk their way past your service desk, they don’t need malware. Strengthening identity and support workflows is one of the highest-value investments organizations can make against groups like ScatteredLAPSUS$ and Scattered Spider.
Ontinue recommends immediate review and reinforcement of service desk processes and escalation controls to close this gap.