Engineering

Scattered Spider: A Cross-Environment Threat Undermining SOC Defenses

Since 2021, the Scattered Spider cybercriminal group has rapidly evolved into a sophisticated ransomware operation that blends social engineering with technical precision. Unlike traditional ransomware campaigns that unfold over days or weeks, Scattered Spider executes a full kill chain—from initial access to data theft and encryption—within hours, overwhelming even mature SOCs.
Rex Guo, Greg Rudman
July 12, 2025
Home
Blog
Engineering

Scattered Spider: A Cross-Environment Threat Undermining SOC Defenses

Recently, there have been many posts from well-respected sources in the security community about Scattered Spider. Since 2021, the Scattered Spider cybercriminal group has rapidly evolved into a sophisticated ransomware operation that blends social engineering with technical precision. Unlike traditional ransomware campaigns that unfold over days or weeks, Scattered Spider executes a full kill chain—from initial access to data theft and encryption—within hours, overwhelming even mature SOCs.

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI, released a detailed advisory on Scattered Spider, outlining the group’s tactics, techniques, and procedures, and providing mitigation recommendations for organizations facing this threat. Read more about it here.

The FBI recently warned that Scattered Spider is expanding its attacks to target the airline industry, using advanced social engineering techniques to bypass multi-factor authentication and compromise IT help desks, as reported by The Hacker News.


Why SOC Teams Struggle with Scattered Spider Attacks

Security operations center (SOC) teams often find themselves a step behind Scattered Spider—not for lack of skill, but because this group exploits fundamental gaps in modern defenses. Their tactics are designed to fly under the radar, and they’re frighteningly good at it.

Cloud-Native and Identity-Focused Operations

Scattered Spider doesn’t bother with traditional network breaches. Instead, they target cloud identity systems like Okta or Microsoft Entra. Using social engineering (think convincing vishing calls or bombarding users with MFA prompts), they trick employees or help desks into handing over access. Once in, they blend into normal cloud activity—resetting passwords, tweaking federation settings, or adding backdoor accounts—all while looking like routine admin work. Since SOCs often monitor endpoints more closely than cloud identity layers, these moves slip through.

Living Off the Land (LOTL) Techniques

Forget custom malware—this group uses tools already in your environment. They’ll leverage PowerShell for stealthy commands, remote admin software like Splashtop for access, or cloud automation scripts to move data. Even security tools get weaponized: they’ve been caught disabling EDR alerts from the console itself. Because these actions mimic legitimate IT tasks, signature-based defenses miss them entirely.

Speed and Agility

Scattered Spider works at lightning speed. In one case, they went from initial access to draining a CyberArk vault (with 1,400+ credentials) in under two days. Their reconnaissance is hyper-targeted, and they pivot instantly when blocked. SOCs simply can’t correlate alerts and respond fast enough—by the time the team pieces together the attack chain, the damage is done.

Multi-Staged Attacks Across Domains

Each stage looks harmless alone, and SOC tools rarely connect the dots across these siloed domains.

  • Attacks leap between endpoints, cloud, and identity systems:
    • Start with a vishing call to compromise an Okta admin →
    • Use that access to spin up malicious Azure VMs →
    • Jump to endpoints via EDR remote shells →
    • Finally, exfiltrate data through cloud storage.

Human and Process Gaps

The group preys on organizational weaknesses:

  • Help desk pressures: Urgent “executive” account-reset requests get rubber-stamped.
  • Overprivileged accounts: VIPs and service accounts have unnecessary access, letting attackers escalate quickly.
  • Alert overload: SOCs drown in low-priority alerts while subtle, cross-domain signals get missed.

SOC Impact: A Crisis of Visibility and Capacity

Security Operations Centers (SOCs) are already stretched thin by alert fatigue, disjointed telemetry, and a shortage of skilled analysts. Scattered Spider exploits these operational weaknesses by leveraging techniques that are difficult to detect using traditional tooling or siloed workflows. From social engineering to abusing signed drivers and remote access tools, they create alert signals that often blend into normal activity, bypassing triage workflows and slipping through detection logic.

The attacker’s ability to move between cloud, virtual, and on-premises systems adds complexity to investigations, stretching already constrained SOC teams. Traditional playbooks and static rules often fail to identify this lateral movement, especially when the attackers hijack legitimate tools like AnyDesk, Ngrok, and EC2 consoles for covert control.

Phase-by-Phase Breakdown (Aligned with MITRE ATT&CK)

  • Initial Access: Through targeted phishing, spoofed domains, and phone-based deception, attackers harvest credentials and bypass MFA via fatigue attacks or rogue token enrollment.
  • Remote Access: SOCs often fail to flag legitimate-looking RMM tools (e.g., Fleetdeck, Atera) deployed post-compromise.
  • Privilege Escalation: ADCS template abuse, vulnerable driver injection (BYOVD), and LAPS manipulation provide persistent elevated access.
  • Lateral Movement: Using RDP, SSH, and cloud console hopping, attackers traverse networks undetected.
  • Security Evasion: By disabling EDR, AMSI, and log auditing, they suppress detection while maintaining control.
  • Data Theft and Destruction: Sensitive data is exfiltrated to cloud storage (e.g., Mega.nz), shadow copies are destroyed, and recovery is disrupted.
  • Encryption: Ransomware (e.g., DragonForce, Akira) is deployed across ESXi hypervisors and endpoints, locking environments.

SOC Operational Recommendations

  1. Cross-Environment Telemetry Correlation: Ensure your SOC has visibility into both cloud-native and on-prem assets. Enable cross-platform detections that trace user behavior across identity providers, endpoint agents, and SaaS logs.
  2. Behavior-Based Detection: Signature-based detections are insufficient. SOCs need tools that detect misuse of legitimate tools and anomalies in account behavior.
  3. AI-Driven Triage: Use AI SOC analysts that replicate Tier 1 and Tier 2 investigation logic. These systems should investigate alerts autonomously, correlate weak signals, and flag campaigns in progress before damage escalates.
  4. Resilience Planning: Prepare for scenarios where EDR, identity providers, and logging infrastructure may be compromised. Invest in isolated, immutable backups and out-of-band logging.
  5. SOC Threat Hunting Playbooks: Regularly search for indicators of lateral movement, abuse of remote access tools, and certificate service misuse.

Multi-Domain Intrusions: A Growing Pattern

Scattered Spider campaigns increasingly span multiple domains and environments, complicating attribution and containment. In one confirmed attack, the group gained access to an MSP’s VPN credentials via phishing, then used their privileged access to pivot into multiple customer tenants. In another case, credentials stolen from a SaaS provider’s support portal were used to access partner-hosted infrastructure, enabling access to dozens of downstream organizations. These cross-domain intrusions often go unnoticed due to siloed SOCs and lack of centralized correlation between identity events and workload telemetry.

Conclusion

Scattered Spider is not just another ransomware gang—it represents a strategic adversary capable of turning operational blind spots into catastrophic breaches.

SOC teams must evolve beyond reactive alert queues and invest in unified, AI-augmented defense strategies that span every corner of the modern hybrid enterprise.

How can AI SOC Analyst Help?

Culminate can significantly reduce your company’s risk by using intelligent and SOC-proven AI ensuring every alert is triaged, and nothing is overlooked. We recognize patterns that traditional methods may not. Our trusted AI platform delivers consistent and trusted results. During its investigation, it detects cross domain attacks and anomalies such as those presented in Scattered Spider attacks. Our technology strengthen your existing team’s efforts and tangibly identifies and reduces risk to the organization.

Want to see how Culminate investigates Scattered Spider in action?

Schedule a demo with us!

Table of contents

Heading 2
Subscribe to our newsletter

Subscribe to receive the latest blog posts to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe to our newsletter

Subscribe to receive the latest blog posts to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog
Engineering

Scattered Spider: A Cross-Environment Threat Undermining SOC Defenses

Recently, there have been many posts from well-respected sources in the security community about Scattered Spider. Since 2021, the Scattered Spider cybercriminal group has rapidly evolved into a sophisticated ransomware operation that blends social engineering with technical precision. Unlike traditional ransomware campaigns that unfold over days or weeks, Scattered Spider executes a full kill chain—from initial access to data theft and encryption—within hours, overwhelming even mature SOCs.

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI, released a detailed advisory on Scattered Spider, outlining the group’s tactics, techniques, and procedures, and providing mitigation recommendations for organizations facing this threat. Read more about it here.

The FBI recently warned that Scattered Spider is expanding its attacks to target the airline industry, using advanced social engineering techniques to bypass multi-factor authentication and compromise IT help desks, as reported by The Hacker News.


Why SOC Teams Struggle with Scattered Spider Attacks

Security operations center (SOC) teams often find themselves a step behind Scattered Spider—not for lack of skill, but because this group exploits fundamental gaps in modern defenses. Their tactics are designed to fly under the radar, and they’re frighteningly good at it.

Cloud-Native and Identity-Focused Operations

Scattered Spider doesn’t bother with traditional network breaches. Instead, they target cloud identity systems like Okta or Microsoft Entra. Using social engineering (think convincing vishing calls or bombarding users with MFA prompts), they trick employees or help desks into handing over access. Once in, they blend into normal cloud activity—resetting passwords, tweaking federation settings, or adding backdoor accounts—all while looking like routine admin work. Since SOCs often monitor endpoints more closely than cloud identity layers, these moves slip through.

Living Off the Land (LOTL) Techniques

Forget custom malware—this group uses tools already in your environment. They’ll leverage PowerShell for stealthy commands, remote admin software like Splashtop for access, or cloud automation scripts to move data. Even security tools get weaponized: they’ve been caught disabling EDR alerts from the console itself. Because these actions mimic legitimate IT tasks, signature-based defenses miss them entirely.

Speed and Agility

Scattered Spider works at lightning speed. In one case, they went from initial access to draining a CyberArk vault (with 1,400+ credentials) in under two days. Their reconnaissance is hyper-targeted, and they pivot instantly when blocked. SOCs simply can’t correlate alerts and respond fast enough—by the time the team pieces together the attack chain, the damage is done.

Multi-Staged Attacks Across Domains

Each stage looks harmless alone, and SOC tools rarely connect the dots across these siloed domains.

  • Attacks leap between endpoints, cloud, and identity systems:
    • Start with a vishing call to compromise an Okta admin →
    • Use that access to spin up malicious Azure VMs →
    • Jump to endpoints via EDR remote shells →
    • Finally, exfiltrate data through cloud storage.

Human and Process Gaps

The group preys on organizational weaknesses:

  • Help desk pressures: Urgent “executive” account-reset requests get rubber-stamped.
  • Overprivileged accounts: VIPs and service accounts have unnecessary access, letting attackers escalate quickly.
  • Alert overload: SOCs drown in low-priority alerts while subtle, cross-domain signals get missed.

SOC Impact: A Crisis of Visibility and Capacity

Security Operations Centers (SOCs) are already stretched thin by alert fatigue, disjointed telemetry, and a shortage of skilled analysts. Scattered Spider exploits these operational weaknesses by leveraging techniques that are difficult to detect using traditional tooling or siloed workflows. From social engineering to abusing signed drivers and remote access tools, they create alert signals that often blend into normal activity, bypassing triage workflows and slipping through detection logic.

The attacker’s ability to move between cloud, virtual, and on-premises systems adds complexity to investigations, stretching already constrained SOC teams. Traditional playbooks and static rules often fail to identify this lateral movement, especially when the attackers hijack legitimate tools like AnyDesk, Ngrok, and EC2 consoles for covert control.

Phase-by-Phase Breakdown (Aligned with MITRE ATT&CK)

  • Initial Access: Through targeted phishing, spoofed domains, and phone-based deception, attackers harvest credentials and bypass MFA via fatigue attacks or rogue token enrollment.
  • Remote Access: SOCs often fail to flag legitimate-looking RMM tools (e.g., Fleetdeck, Atera) deployed post-compromise.
  • Privilege Escalation: ADCS template abuse, vulnerable driver injection (BYOVD), and LAPS manipulation provide persistent elevated access.
  • Lateral Movement: Using RDP, SSH, and cloud console hopping, attackers traverse networks undetected.
  • Security Evasion: By disabling EDR, AMSI, and log auditing, they suppress detection while maintaining control.
  • Data Theft and Destruction: Sensitive data is exfiltrated to cloud storage (e.g., Mega.nz), shadow copies are destroyed, and recovery is disrupted.
  • Encryption: Ransomware (e.g., DragonForce, Akira) is deployed across ESXi hypervisors and endpoints, locking environments.

SOC Operational Recommendations

  1. Cross-Environment Telemetry Correlation: Ensure your SOC has visibility into both cloud-native and on-prem assets. Enable cross-platform detections that trace user behavior across identity providers, endpoint agents, and SaaS logs.
  2. Behavior-Based Detection: Signature-based detections are insufficient. SOCs need tools that detect misuse of legitimate tools and anomalies in account behavior.
  3. AI-Driven Triage: Use AI SOC analysts that replicate Tier 1 and Tier 2 investigation logic. These systems should investigate alerts autonomously, correlate weak signals, and flag campaigns in progress before damage escalates.
  4. Resilience Planning: Prepare for scenarios where EDR, identity providers, and logging infrastructure may be compromised. Invest in isolated, immutable backups and out-of-band logging.
  5. SOC Threat Hunting Playbooks: Regularly search for indicators of lateral movement, abuse of remote access tools, and certificate service misuse.

Multi-Domain Intrusions: A Growing Pattern

Scattered Spider campaigns increasingly span multiple domains and environments, complicating attribution and containment. In one confirmed attack, the group gained access to an MSP’s VPN credentials via phishing, then used their privileged access to pivot into multiple customer tenants. In another case, credentials stolen from a SaaS provider’s support portal were used to access partner-hosted infrastructure, enabling access to dozens of downstream organizations. These cross-domain intrusions often go unnoticed due to siloed SOCs and lack of centralized correlation between identity events and workload telemetry.

Conclusion

Scattered Spider is not just another ransomware gang—it represents a strategic adversary capable of turning operational blind spots into catastrophic breaches.

SOC teams must evolve beyond reactive alert queues and invest in unified, AI-augmented defense strategies that span every corner of the modern hybrid enterprise.

How can AI SOC Analyst Help?

Culminate can significantly reduce your company’s risk by using intelligent and SOC-proven AI ensuring every alert is triaged, and nothing is overlooked. We recognize patterns that traditional methods may not. Our trusted AI platform delivers consistent and trusted results. During its investigation, it detects cross domain attacks and anomalies such as those presented in Scattered Spider attacks. Our technology strengthen your existing team’s efforts and tangibly identifies and reduces risk to the organization.

Want to see how Culminate investigates Scattered Spider in action?

Schedule a demo with us!
Share this post
Tag one
Tag two
Tag three
Tag four
Rex Guo, Greg Rudman

Recommended articles

Engineering

From 10,000 to 10: How AI Identifies Which Alerts Actually Matter

Security Operations Centers (SOCs) are drowning. Every day, analysts are hit with thousands of alerts—each screaming for attention, most leading nowhere. Between EDR pings, email security events, identity anomalies, and SIEM noise, the reality is simple: no human team can investigate everything. Yet buried somewhere in that mountain of noise are the 10 alerts that actually matter. The 10 that point to lateral movement. Credential abuse. Persistence. Exfiltration. Miss them, and it could mean a breach. That’s where AI changes the game.
Read more
Engineering

The Phish That SOAR Missed: Why Modern Attacks Slip Through

Traditional SOAR (Security Orchestration, Automation, and Response) platforms often miss modern phishing attacks because their reliance on pre-determined playbooks and static rules makes them inflexible against rapidly evolving threats. Attackers exploit this rigidity by increasingly leveraging legitimate services like OneDrive and PowerBI to host malicious links, masking their true intent and bypassing SOAR's signature-based and reputation-focused detections. In contrast, AI SOC Analyst platforms are inherently more adaptable and goal-driven, utilizing advanced machine learning and behavioral analytics to automatically adjust investigation techniques and identify subtle anomalies that don't fit known patterns. By intelligently correlating diverse data and automatically investigating links embedded within the legitimate website's context, Culminate's AI SOC Analyst can effectively handle incomplete or ambiguous information, proactively detecting sophisticated phishing campaigns that intentionally evade conventional defenses.
Read more
Engineering

Exploiting Trust: The Rise of Push Fatigue and Password Spray Attacks

Push fatigue and password spray attacks exploit user distraction and weak authentication context, making it easy for attackers to bypass MFA. Culminate’s AI SOC Analyst detects these behaviors across identity, EDR, and email logs, and takes automated action—like resetting passwords or deleting malicious emails—while providing clear case timelines for rapid, confident response.
Read more

Want to see Culminate in action?

When Culminate takes on investigations, your analysts can concentrate on tackling true attacks and strategic work.

Schedule a demo
HomeProductAboutBlogCareersBlogContact
© 2025 Culminate Inc. All rights reserved.