Blog

Ontinue Threat Advisory: ScatteredLAPSUS$ / Scattered Spider Tactics

The Threat

A new wave of attacks from groups like ScatteredLAPSUS$ and Scattered Spider is putting identity process at the center of the threat landscape.

These actors don’t rely on advanced malware or zero-day exploits. Instead, they exploit people and processes — targeting service desks and identity workflows to:

  • Obtain credentials
  • Bypass MFA
  • Escalate into privileged accounts

This approach has already caused disruption in multiple sectors, including devastating high-profile retail attacks in the UK.

  • Marks & Spencer (April 2025): Online orders, click-and-collect, and in-store payments were disrupted. Customer contact details and order histories were exposed, though payment cards and passwords were not. The incident caused both operational and financial disruption.
  • Harrods (late April/early May 2025): Detected and contained an attempted intrusion by restricting internal systems and temporarily disabling internet connectivity in stores. The methods used closely resemble other ScatteredLAPSUS$/Spider campaigns.

Why This Matters

These incidents demonstrate that identity and support workflows are prime attack surfaces.

  • Service desk teams are being directly targeted with phone calls and impersonation tactics.
  • Attackers often pose as high-value targets — executives, admins, or security staff — to convince helpdesks to reset credentials or add new MFA factors.
  • Even without direct theft of payment card data, the business impact has been severe: customer data exposure, outages to payment and fulfilment, and reputational damage.

Ontinue Recommendations

We advise all clients to act immediately in three areas:

1. Protect High-Value Targets

  • Maintain a “Do Not Touch” list for executives, IT admins, and security staff
  • Enforce escalation-only reset policies for these accounts — no changes handled at L1

2. Harden Verification Processes

  • Retire weak, knowledge-based checks (EmployeeID, Location, DOBs).
  • Require out-of-band verification such as:
    • Callback using a company directory numberToken sent to corporate email
    • Slack/Teams confirmation message

3. Build a Verification Culture within your IR Strategy

  • Train staff to independently verify inbound IT calls before taking any action
  • Standardize workflows that make verification simple and repeatable
  • Develop and test a formal disruption playbook for Scattered Spider–style intrusions (e.g., rapid suspension of compromised accounts, tightening of reset policies, and out-of-band alerts to security leadership)
  • Conduct regular tabletop exercises to validate that service desk and security teams can quickly detect, disrupt, and recover from social-engineering–driven compromises

The Bottom Line

If attackers can talk their way past your service desk, they don’t need malware. Strengthening identity and support workflows is one of the highest-value investments organizations can make against groups like ScatteredLAPSUS$ and Scattered Spider.

Ontinue recommends immediate review and reinforcement of service desk processes and escalation controls to close this gap.

Sharing
Article By

Craig Jones
Chief Security Officer

Craig Jones oversees Ontinue’s global network of Security Operations Centers (SOCs). His role includes managing and optimizing the teams responsible for security monitoring, incident response, and threat detection across the company’s four SOCs. Previously, Craig was the Vice President of Security Operations at Ontinue. Before joining Ontinue, Craig spent eight years at Sophos, where he rose to Senior Director of Global Security Operations. At Sophos, Craig was responsible for the operational aspects of the company’s worldwide security program, ensuring that the organization’s global security infrastructure was robust and scalable.

Craig is a well-regarded expert in the field of cybersecurity, holding certifications such as GCIH and CISSP. He is actively involved in the cybersecurity community, volunteering as director of BSides Cymru/Wales since 2019 and frequently speaking at industry events. His thought leadership covers topics like incident response, SOC automation, threat intelligence, and SIEM. Craig earned a bachelor’s degree in Information Technology from the University of South Wales.