Microsoft Reveals Scattered Spider’s New Cyberattack Tactics
▼ Summary
– Microsoft reports Scattered Spider is using new tactics to breach cloud environments, shifting from cloud identity privileges to targeting on-premises accounts and infrastructure first.
– The group has deployed DragonForce ransomware, particularly focusing on VMWare ESX hypervisor environments, alongside aggressive social engineering and SMS phishing attacks.
– Scattered Spider has recently targeted airlines, retail, food services, hospitality, and insurance sectors with ransomware and data extortion attacks between April and July 2025.
– Microsoft is updating its security products, including Defender and Sentinel, to detect and disrupt Scattered Spider’s activities by disabling compromised accounts and revoking active sessions.
– Microsoft recommends proactive defense measures like multi-factor authentication, risk-based sign-in policies, and least-privilege access to mitigate Scattered Spider’s hybrid attack tactics.
Microsoft has uncovered new cyberattack techniques employed by the notorious hacking group Scattered Spider, revealing their shift toward hybrid cloud and on-premises system breaches. The group, also known as Octo Tempest, has refined its approach by initially compromising local infrastructure before moving laterally into cloud environments, a tactic that increases the complexity of detection and response.
One of the most concerning developments is the group’s deployment of DragonForce ransomware, particularly targeting VMware ESX hypervisors, which are widely used in enterprise virtualization. Beyond ransomware, Scattered Spider continues to rely on aggressive social engineering, often tricking service desk personnel into granting access. Additionally, they’ve expanded their phishing campaigns, using adversary-in-the-middle (AiTM) domains to impersonate trusted organizations and intercept sensitive data.
Recent attacks have focused on airlines, retail chains, hospitality providers, and insurance firms, with a noticeable spike in activity between April and July 2025. These sectors face heightened risks due to the group’s dual strategy of ransomware encryption and data extortion, putting immense pressure on victims to pay up or risk exposure.
To counter these threats, Microsoft has enhanced its security suite, including Defender and Sentinel, with advanced detection capabilities. Defender now identifies Scattered Spider’s tactics across endpoints, cloud workloads, and SaaS applications, while its self-defense feature automatically disables compromised accounts and terminates active sessions. However, Microsoft stresses that SOC teams must still conduct thorough incident analysis to ensure complete threat eradication.
For proactive defense, Microsoft advises organizations to adopt multi-factor authentication (MFA), least-privilege access controls, and risk-based sign-in policies. Their Security Exposure Management solution also offers tools like critical asset protection and attack path analysis to help businesses stay ahead of evolving threats.
As Scattered Spider’s methods grow more sophisticated, businesses must prioritize layered security measures to defend against both cloud and on-premises vulnerabilities. Staying informed and implementing robust protections can mean the difference between a thwarted attack and a costly breach.
(Source: InfoSecurity Magazine)
