Scattered Spider: Anatomy of a Modern AiTM Threat and How to Stop It

Scattered Spider (UNC3944 / Octo Tempest) is driving a renewed surge of intrusions against high-availability enterprises. After ransacking the retail and insurance verticals earlier this year, the crew has pivoted to aviation, breaching Hawaiian Airlines, WestJet, and Qantas within weeks. The speed of that shift, and the success of its adversary-in-the-middle playbook, showcases just how quickly Scattered Spider can leap between industries, and how effective their tried and true playbook is.Understanding that playbook is the key to combatting this threat.Who is Scattered Spider?First surfacing in SIM-swap and BEC schemes, Scattered Spider has evolved into a financially-motivated crew that combines well-honed social-engineering talent with ransomware partnerships (ALPHV, RansomHub, and DragonForce). The group favours English-speaking enterprises that house rich identity stores and rely on high-availability systems that are ripe for extortion.EvilginxScattered Spider are using a tool called Evilginx to bypass multifactor authentication (MFA).Evilginx begins with deception at the DNS and TLS layers. Scattered Spider registers look-alike domains, such as company-sso[.]com or vpn-login-corp[.]net, and equips them with free Let’s Encrypt certificates. The result is a phishing site that presents the same green padlock as a genuine corporate portal, lowering a victim’s guard before a single line of HTML is served.Behind that façade, Evilginx runs as a transparent reverse proxy. Its pre-built “phishlets” fetch the real sign-in pages for services such as Okta, Azure AD, or Workday, rewrite every link on the fly, and relay the content back to the browser. From the user’s perspective, the experience is indistinguishable from the legitimate site; from the attacker’s perspective, every HTTP request and response, including MFA challenges, is streamed through infrastructure they control.The moment a user completes authentication, Evilginx captures the final session cookies that prove the user is logged in. By replaying those cookies from an attacker-controlled virtual machine, Scattered Spider sidesteps multifactor authentication altogether, no passwords to crack, no one-time codes to intercept. With that foothold, the operators can quietly add their own MFA devices, spin up cloud resources, or deploy ransomware, all without generating the password-change or login-from-new-device alerts most organisations rely on to spot intrusions.The kit remains one of the most prevalent open-source adversary in the middle (AiTM) platform as of mid-2025.ATT&CK Technique ProfileBelow are some of the tactics, techniques, and procedures (TTPs) most frequently observed in Arachne Digital telemetry for Scattered Spider over the past year, mapped to ATT&CK.Reconnaissance:T1591 Gather Victim Org Information — Scattered Spider begins with reconnaissance, harvesting internal details, such as employee names and departments, that it weaves into a voice phishing (vishing) scripts. Armed with this context, an operator can phone the help desk and convincingly pose as an employee.Resource Development:T1583.001 Acquire Infrastructure: Domains — Scattered Spider bulk-registers look-alike tech and SSO domains with a small roster of go-to registrars, ensuring a constant pipeline of fresh phishing sites.T1588.002 Obtain Capabilities: Tool — Scattered Spider taps widely available open-source tools, such as ADRecon, ADExplorer, and SharpHound, to map and analyse victims’ Active Directory (AD) environments. Gaining access to AD is the goal of ransomware operators, as once the operators have access to a domain controller, it is a short process to elevate privileges and then deploy ransomware across the environment.T1608.003 Stage Capabilities: Install Digital Certificate — Scattered Spider outfits its phishing domains with free Let’s Encrypt TLS certificates, giving the sites a reassuring padlock and sidestepping browser security warnings.Initial Access:T1199 Trusted Relationship — Scattered Spider compromises IT outsourcing giants like Tata Consultancy Services (TCS), then exploits the provider’s privileged connections as a access into each downstream customer environment.T1078 Valid Accounts — After breaching a service provider, Scattered Spider apivots into customer networks by re-using the provider’s legitimate, often highly privileged, credentials. The specific ATT&CK sub-techniques employed (e.g., T1078.004 Valid Accounts: Cloud Accounts) vary from engagement to engagement, but the underlying tactic is to use trusted identities to slip past external defences.Credential Access:T1552.001 Unsecured Credentials: Credentials In Files — After gaining an initial foothold, Scattered Spider mines internal files and documentation for embedded credentials, such as shared password spreadsheets or design documents with credentials to service accounts, which it then leverages to pivot deeper into the network.Discovery:T1083 File and Directory Discovery — By scrutinising internal design documents and other technical blueprints, Scattered Spider gains a ready-made roadmap of the environment, allowing them to navigate with ease.Collection:T1557 Adversary-in-the-Middle — Through Evilginx, Scattered Spider intercepts the sign-in flow, captures the user’s session cookies, and slips past MFA altogether.T1005 Data from Local System — Before deploying ransomware, Scattered Spider first siphons off sensitive data to gain leverage for double-extortion. The exfiltration route, whether exfiltrating data from cloud buckets (T1530 Data from Cloud Storage), local file shares, or SaaS repositories, shifts from target to target, but the objective is to secure extortion material before the encryption starts.Impact:T1486 Data Encrypted for Impact — Recent incidents link Scattered Spider to the deployment of the newer DragonForce ransomware payload.T1657 Financial Theft — Scattered Spider runs a double-extortion scheme, charging victims for the decryption key and for keeping the pre-theft data from going public.Threat-Informed Defence — Trusted RelationshipEffective defence starts with studying the adversary’s playbook. Scattered Spider’s signature move is T1199 Trusted Relationship, hijacking the very vendor accounts and service-provider tooling your organisation already trusts. When every malicious action is wrapped in an approved identity, “just block the bad IP” is meaningless. Instead, you need mitigations and detections tuned to this technique. The ATT&CK-aligned measures below show where to focus for maximum impact against Scattered Spider’s current TTPs.M1032 Multi-factor Authentication — Scattered Spider can defeat weak factors via Evilginx, but that’s no excuse to hand them easy wins. Require MFA on every vendor and privileged account, and consider phishing-resistant MFA such as FIDO2 passkeys.M1030 Network Segmentation — Scattered Spider’s playbook depends on lateral movement, harvesting documents, reaching domain controllers, and staging ransomware. Carve the environment into security zones, such as user workstations, file shares, domain controllers, and backups, so each hop demands fresh credentials and additional approvals. Every boundary the adversary must cross slows their progress, provides multiplies detection opportunities, and confines damage if they do break through.M1018 User Account Management — Apply least-privilege, all accounts should receive only the exact rights needed for the job at hand, nothing more. Re-certify privileges whenever a role changes and immediately disable or delete accounts when contracts or employment end. Tight lifecycle discipline limits the level of access Scattered Spider are initially able to obtain and mitigates the damage any single compromised credential can cause.DS0015 Application Log with the data component Application Log Content — Once inside, Scattered Spider may register its own MFA devices or spin up covert jump servers for persistence. Compare application logs with your CMDB and other asset inventories to flag endpoints and virtual machines that were never authorised. At the same time, baseline the normal activity of every admin account, then alert when those identities enrol new authenticators, create infrastructure, export data, or carry out any action beyond their documented remit.DS0028 Logon Session with the data components Logon Session Creation and Logon Session Metadata — Profile normal log-on patterns for every vendor and privileged account, then alert on deviations. Flag service-provider sessions originating from never-before-seen geographies, multiple concurrent logins from distant locations, or users whose badges never entered the building and whose devices lack an active VPN tunnel. Correlating session data with physical-access logs, VPN records, and asset telemetry turns these anomalies into high-confidence tripwires.DS0029 Network Traffic with the data component Network Traffic Content — Monitor network traffic and watch for anomalies: large or unusual data transfers, remote-desktop tunnels, or sudden jumps to crown-jewel systems. Alert on traffic to or from IP ranges that fall outside the provider’s documented footprint and on exfiltration patterns such as sustained HTTPS uploads to unknown hosts. To catch Evilginx-style cookie replay, add a rule that fires when the same session cookie is presented from two different countries within a five-minute window.Cyber Threat Intelligence That MattersScattered Spider’s airline offensive shows a group willing to reinvent its target list, but not its core playbook. Evilginx-powered AiTM focusing on IT service providers to access their clients remains the nucleus: steal session cookies, bypass MFA, and use legitimate access for ransomware. A threat-informed defence approach, mapping controls directly to ATT&CK techniques, lets you choke the campaign at each stage.Arachne Digital’s cyber threat intelligence tracks newly observed Scattered Spider TTPs, so your SOC can convert intelligence into concrete mitigations and detections. Learn more by reaching out to [email protected].