When Scattered Spider (UNC3944) burned through MGM Resorts' identity estate in September 2023, the intrusion lasted roughly ten minutes at the help desk and about ten days in the headlines. Twenty-one months on, MGM's 10-Q filings have stopped itemizing the incident's costs, yet the pattern that felled a Fortune 500 hospitality giant, vishing a help desk analyst to reset an Okta admin, is still the most efficient path into hardened enterprises. In 2025, Mandiant's M-Trends report attributed 16% of initial access in ransomware cases to social engineering of IT support staff, up from 9% the year before. The attackers have not evolved; the defenders have, just not enough. This retrospective revisits what happened, what changed, and where software supply chain teams still need to act.
What actually happened at MGM in September 2023?
Attackers impersonated an MGM employee on a help desk call, convinced the analyst to reset credentials, and pivoted into Okta and Azure tenants within hours. From there, UNC3944 deployed BlackCat/ALPHV ransomware against ESXi infrastructure. MGM disclosed on September 11, 2023 and estimated the financial hit at $100 million in its Q3 filing, plus roughly $10 million in one-time consulting and legal fees. Caesars Entertainment, hit by the same cluster weeks earlier, chose to pay a reported $15 million ransom. MGM did not pay. Guest-facing systems, including room keys, slot machines, and the MGM Rewards app, were degraded for nearly ten days.
What has changed in identity defense since then?
The most measurable shift is adoption of phishing-resistant MFA and help-desk verification policy. CISA's 2025 Secure-by-Design progress report noted that 41% of surveyed enterprises now enforce FIDO2 for privileged roles, up from 18% in late 2023. Okta pushed its Identity Threat Protection feature out of early access in March 2024 and mandated number-matching for its own admin console. Microsoft retired legacy per-user MFA prompts for Entra ID admin roles on October 15, 2024. These are real gains, but they are unevenly distributed: hospitality, healthcare, and manufacturing still lag finance by roughly 18 months on phishing-resistant rollout, per the 2025 Verizon DBIR.
Did the attackers stop, slow down, or adapt?
They adapted. Between January 2024 and May 2025, the FBI tracked at least 47 additional intrusions attributed to Scattered Spider or close affiliates, including the March 2024 breach of a major US insurer and the January 2025 compromise of a cloud contact-center provider. The group has since splintered into smaller cells, some working with RansomHub after BlackCat's exit scam in March 2024. Tactics have shifted from Okta pivots to SaaS-native attacks: targeting Snowflake customer tenants (the UNC5537 campaign of mid-2024, which exposed data at 165 organizations) and abusing OAuth consent grants in Google Workspace.
What supply chain lessons did we underweight at the time?
We focused on identity and underweighted the vendor graph. MGM's recovery was slowed by dependencies on third-party booking engines, slot-machine firmware vendors, and a loyalty data processor that each needed their own incident handling. A 2024 post-mortem by a Nevada gaming regulator noted 38 distinct SaaS vendors were implicated in MGM's restoration timeline. The lesson: identity compromise at one tenant cascades through connected SaaS and code suppliers. Organizations that had inventoried their OAuth tokens, SCIM integrations, and CI/CD runners recovered measurably faster in subsequent UNC3944 incidents.
Where should defenders focus in the rest of 2025?
Three places. First, help-desk protocol hardening: require a callback to a HRIS-verified number and a manager approval for privileged resets, a control CISA added to its Secure-by-Design pledge in April 2024. Second, SaaS-to-SaaS token hygiene: inventory, rotate, and scope OAuth grants; the Snowflake campaign proved a valid token beats a valid password. Third, treat your identity provider as a first-class component in your SBOM and vendor risk register.
# Example help-desk verification policy gate
help_desk_reset:
require:
- callback_to_hris_number: true
- manager_approval: true
- deny_if_mfa_device_changed_within_hours: 24
log_to: siem.identity.reset
How Safeguard Helps
Safeguard treats identity providers, SaaS connectors, and CI/CD runners as first-class supply chain assets alongside code and container dependencies. Teams can inventory OAuth grants and service accounts, attach them to products, and enforce policy gates that block deploys when an identity dependency falls out of compliance. When an incident like MGM's recurs, responders can pivot from a single compromised account to the full blast radius, including downstream SaaS and vendor integrations, in one query. Safeguard's remediation plans surface expired tokens, overprivileged scopes, and legacy auth paths before attackers find them, turning post-mortem lessons into pre-mortem controls.