Ontinue Threat Advisory: ScatteredLAPSUS$ / Scattered Spider Tactics

The Threat

A new wave of attacks from groups like ScatteredLAPSUS$ and Scattered Spider is putting identity process at the center of the threat landscape.

These actors don’t rely on advanced malware or zero-day exploits. Instead, they exploit people and processes — targeting service desks and identity workflows to:

• Obtain credentials
• Bypass MFA
• Escalate into privileged accounts

This approach has already caused disruption in multiple sectors, including devastating high-profile retail attacks in the UK.

• Marks & Spencer (April 2025): Online orders, click-and-collect, and in-store payments were disrupted. Customer contact details and order histories were exposed, though payment cards and passwords were not. The incident caused both operational and financial disruption.
• Harrods (late April/early May 2025): Detected and contained an attempted intrusion by restricting internal systems and temporarily disabling internet connectivity in stores. The methods used closely resemble other ScatteredLAPSUS$/Spider campaigns.

Why This Matters

These incidents demonstrate that identity and support workflows are prime attack surfaces.

• Service desk teams are being directly targeted with phone calls and impersonation tactics.
• Attackers often pose as high-value targets — executives, admins, or security staff — to convince helpdesks to reset credentials or add new MFA factors.
• Even without direct theft of payment card data, the business impact has been severe: customer data exposure, outages to payment and fulfilment, and reputational damage.

Ontinue Recommendations

We advise all clients to act immediately in three areas:

1. Protect High-Value Targets

• Maintain a “Do Not Touch” list for executives, IT admins, and security staff
• Enforce escalation-only reset policies for these accounts — no changes handled at L1

2. Harden Verification Processes

• Retire weak, knowledge-based checks (EmployeeID, Location, DOBs).
• Require out-of-band verification such as:
  • Callback using a company directory numberToken sent to corporate email
  • Slack/Teams confirmation message

3. Build a Verification Culture within your IR Strategy

• Train staff to independently verify inbound IT calls before taking any action
• Standardize workflows that make verification simple and repeatable
• Develop and test a formal disruption playbook for Scattered Spider–style intrusions (e.g., rapid suspension of compromised accounts, tightening of reset policies, and out-of-band alerts to security leadership)
• Conduct regular tabletop exercises to validate that service desk and security teams can quickly detect, disrupt, and recover from social-engineering–driven compromises

The Bottom Line

If attackers can talk their way past your service desk, they don’t need malware. Strengthening identity and support workflows is one of the highest-value investments organizations can make against groups like ScatteredLAPSUS$ and Scattered Spider.

Ontinue recommends immediate review and reinforcement of service desk processes and escalation controls to close this gap.