Safeguard.sh
Threat Intelligence

Scattered Spider: Identity as Supply Chain 2024-25

Scattered Spider showed that help-desk processes, SaaS federation, and MSPs are the new software supply chain. Here is how to think about it and what to actually change.

Shadab Khan
Security Engineer
7 min read

Why treat Scattered Spider as a supply chain problem?

Because their entry point is rarely the victim directly. In public incidents acknowledged by victims and reported in CISA and FBI advisories, the intrusions have repeatedly started at an identity provider, a managed service provider, an outsourced help desk, or a SaaS vendor that held federated trust into the target. That is the definition of a supply chain: a third party's control weakness becomes your compromise.

The group has been publicly associated with intrusions at major hospitality, retail, and insurance brands in 2023-2025. Law-enforcement actions, including arrests disclosed by the U.S. Department of Justice and UK authorities, have confirmed several alleged members. The brand, however, is closer to a loose collective than a fixed crew; affiliates have rotated through different ransomware-as-a-service programs including ALPHV/BlackCat and later RansomHub.

What does the Scattered Spider playbook actually look like?

Answer first: native-English voice phishing, SIM-swap-adjacent MFA bypass, and abuse of legitimate remote-admin tools. Then living off the cloud.

Reading the joint CISA/FBI advisory (AA23-320A) and subsequent updates, the recurring steps are:

  1. Identify an employee by title and reporting line using LinkedIn or data-broker reconnaissance, typically someone with privileged access but not a senior security engineer.
  2. Call the corporate help desk impersonating that employee. Claim a lost phone or locked account. Get the help desk to reset credentials or re-enroll MFA to an attacker-controlled device.
  3. Log in. Use the valid session to register an attacker phone as a new MFA factor, then pivot laterally through SSO.
  4. Abuse legitimate remote management tools already on the target estate, such as ScreenConnect, AnyDesk, Splashtop, or TeamViewer. If those are not present, install them; they will not alert EDR.
  5. Target cloud consoles: AWS, Azure, Okta, Entra, GitHub, Snowflake. Exfiltrate from managed data warehouses and identity-providers' logs and secrets.
  6. Deploy a ransomware payload if it fits the playbook. Extort regardless.

There is almost no exploitation of code vulnerabilities in this chain. It is identity from start to finish.

Why is the help desk the actual attack surface?

Because the help desk is the point where your identity system has a human override. SSO, MFA, conditional access, and device trust all look strong on paper, and then someone calls at 11 p.m. on a holiday claiming to be a new-hire director who lost their Yubikey, and a tier-1 agent processes it.

Scattered Spider has exploited this repeatedly, including when the help desk is in-house, outsourced, or hybrid. Outsourced help desks are a supply chain hand-off: your identity trust is being enforced by someone else's tier-1 employees reading a runbook you may or may not own.

What identity controls actually move the needle?

  • Eliminate help-desk-initiated MFA resets for privileged accounts. Privileged users get in-person or video verification with a manager on the call. A phone call is not enough.
  • Require phishing-resistant MFA for high-value roles. FIDO2 security keys or device-bound passkeys, not SMS, not push, not TOTP. If a user cannot produce the physical authenticator, they do not get a reset over the phone.
  • Impose a reset-lockout window. A password or MFA reset should not immediately grant full SSO to every app. A 30 to 60 minute cooldown during which the account cannot enroll new devices or access Tier 0 apps buys a detection window.
  • Monitor Okta, Entra, and Ping admin events as Tier 0 signal. New MFA factor enrollment, especially outside a user's normal region, is the single highest-fidelity detection for this playbook.
  • Kill shadow remote-admin tools. Maintain an allowlist of remote-management agents and block the rest via EDR and application control. AnyDesk being installed in the finance department at 2 a.m. is a page-worthy event.

How do MSPs and SaaS vendors enter this chain?

Federated trust. Many organizations have configured SSO so that an MSP's administrative tenant or a SaaS management platform can act on their behalf. In Scattered Spider campaigns, the attacker has at times compromised the MSP first, then used that tenancy to pivot into customers. This is the same pattern that drove Kaseya VSA in 2021 and ConnectWise ScreenConnect exploitation in 2024; the delivery vehicle is different, but the topology is the same.

Questions to ask every MSP and SaaS admin-plane vendor:

  • Who at your company can act as an administrator in our tenant, and what authentication do they use to reach that capability?
  • Do you enforce phishing-resistant MFA on all admin roles, including your help desk and onboarding teams?
  • What is your detection coverage for unusual admin API activity against customer tenants?
  • Do you provide customer-visible logging for every action an MSP identity takes on our behalf?

If the vendor cannot answer these cleanly, assume you inherit their identity weakness.

What SaaS-side defenses matter most?

Snowflake's 2024 customer-credential-abuse incidents, though not officially attributed to Scattered Spider specifically, are a good mental model. Once valid credentials exist, SaaS-side controls either work or they do not.

  • Enforce MFA at the SaaS application layer where possible, not only at SSO. Many breaches involved SaaS accounts that permitted basic-auth or legacy API keys.
  • Use IP allowlisting or conditional access for data warehouses and admin consoles.
  • Rotate SaaS API tokens on a cadence and alert on new PAT creation.
  • Enable user-to-user data exfiltration telemetry. Snowflake's extended audit logging and GitHub's audit log streaming are examples where the SaaS vendor gives you real signal if you turn it on.

Are law-enforcement actions slowing the group down?

Several alleged members have been arrested and indicted, as reported in DOJ and FBI communications in 2024 and 2025. Operationally, the playbook persists. The tactics transfer easily to new operators because they are low-capital: you need a convincing voice, a target list, and access to a RaaS affiliate program. As long as help-desk processes and federated identity remain under-hardened, this threat model will keep finding operators.

How should detection engineering prioritize this threat?

Answer first: treat identity telemetry as a primary detection surface, not a compliance artifact.

Concrete hunts to prioritize:

  • Password resets followed by MFA factor re-enrollment within 15 minutes, especially from a new IP or user agent.
  • Help-desk-initiated account state changes on accounts flagged as Tier 0 or admin.
  • SSO sign-ins that immediately enroll new OAuth tokens against Snowflake, GitHub, or other data-warehouse and code platforms.
  • Fresh remote-management agent installations inside a 24-hour window following an identity event.

These correlations are not individually novel but their combination is high-signal, and most SIEM content libraries do not ship with them pre-built. They are worth a detection engineer's afternoon.

What does tabletop readiness look like for this threat?

Exercise your help desk specifically. A convincing impersonation of a named executive calling your service desk at 11 p.m. is the single most valuable tabletop scenario you can run in 2026. Time the response, review where the runbook forced verification, and then rewrite the runbook where it did not. Do the same scenario against your outsourced providers' help desks. The gap between "we trust the MSP's process" and "we have tested the MSP's process" is where Scattered Spider-class operators live.

How Safeguard.sh Helps

Safeguard.sh treats your identity supply chain with the same rigor as your code supply chain. We map which external parties - MSPs, BPOs, SaaS admin consoles, help-desk outsourcers - hold privileged access into your tenant, score their identity posture, and alert on changes like new federated trust, new admin roles, or MFA-factor enrollment anomalies on those external identities. When Scattered Spider or a similar collective is active against an industry, we correlate your vendor footprint with ongoing campaigns so you know whether your third-party identity perimeter is the one being worked tonight.

threat-intelransomwareaptsupply-chain-attacks
Back to all articles

More on #threat-intel

View all →
Threat Intelligence

Volt Typhoon: Critical Infrastructure Supply Chain

6 min read
Threat Intelligence

Cozy Bear / Midnight Blizzard Supply Chain Tactics

6 min read
Threat Intelligence

DPRK IT Worker Supply Chain Insider Threat

6 min read
Threat Intelligence

Black Basta Ransomware Leak Lessons Learned

6 min read

Related articles in Threat Intelligence

Threat Intelligence

Qilin Ransomware Supply Chain Tactics 2025

Qilin became a top ransomware operator in 2024-2025 by pairing edge-device exploitation with managed service provider compromise. Here is the supply chain breakdown.

April 11, 2026Read
Threat Intelligence

Lazarus Financial Sector Campaigns 2024-2025

Lazarus Group's 2024-2025 financial sector campaigns combined exchange compromises, DeFi exploits, and developer social engineering. Here is what defenders must know.

April 4, 2026Read
Threat Intelligence

Flax Typhoon Residential Proxy Supply Chain 2024

Flax Typhoon's Raptor Train botnet turned consumer IoT into a state-aligned proxy network. Here is the tradecraft, the takedown, and the supply chain lessons.

March 28, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.