Security agencies have released a new advisory warning that the Scattered Spider hacking group is actively infiltrating collaboration platforms like Microsoft Teams and Slack.
According to the FBI and international cybersecurity partners, the group is using these channels to gather internal intelligence and launch highly targeted phishing attacks, combining ransomware with advanced social engineering tactics to compromise organisations.
“Per trusted third parties, Scattered Spider threat actors typically engage in data theft for extortion and also use several ransomware variants, most recently deploying DragonForce ransomware alongside their usual Tactics, Techniques, and Procedures (TTPs),” the advisory stated.
While some TTPs remain consistent, Scattered Spider threat actors often change TTPs to remain undetected.”
For IT leaders, the message is clear: It’s time to tighten controls, rethink processes, and train staff to anticipate deception at every level.
Who Are Scattered Spider?
Researchers consider Scattered Spider unique within the cybercrime underground.
It consists largely of English-speaking young men (including many teenagers) from the US and the UK, and is estimated to have as many as 1,000 members.
The hacking group first made headlines in September 2023 with a ransomware attack on MGM Resorts that severely disrupted operations and cost the company over $100 million.
The group has also been linked to the 2023 Clorox cyberattack, which led to widespread product shortages and a $380 million lawsuit against Clorox’s IT vendor, Cognizant, for allegedly mishandling credentials.
Their earlier activities, dating back to 2021, included phishing campaigns targeting employee credentials, resulting in millions of dollars in theft and attacks on 45 companies.
Despite initial beliefs that the group had been dismantled, the group resurfaced in April 2025 with new attacks on major UK retailers Marks & Spencer, Harrods, and Co-op – causing an estimated £440 million in damages.
British authorities have since arrested four suspects and are analysing seized computer equipment for further leads.
What’s New – and Why IT Should Be on High Alert
Scattered Spider has added several new tools and tactics to its arsenal:
- Impersonation 2.0: Hackers are no longer just pretending to be IT support – they’re posing as employees, tricking real IT staff into resetting passwords and transferring MFA tokens.
- Push Bombing and SIM Swapping: These methods are being used to bypass multi-factor authentication (MFA) by exploiting end-user behaviour.
- Remote Tools Abuse: Once inside, the group leverages legitimate software like AnyDesk to maintain persistent, stealthy access.
- Collaboration Platform Infiltration: The group is actively infiltrating Microsoft Teams and Slack to gather internal intelligence, craft realistic phishing messages, and escalate privileges – all while blending in.
Critical Steps IT Teams Must Take Now
To defend against the evolving tactics of Scattered Spider, IT teams must take immediate, strategic action across multiple layers of their security infrastructure.
First, help desk protocols should be updated to include strict identity verification before resetting passwords or MFA tokens, along with call-back procedures for unusual requests and full logging of all credential-related interactions.
Multi-factor authentication must also be hardened – replacing SMS-based MFA with phishing-resistant options like hardware security keys or biometric methods, and enabling features such as number matching and geolocation prompts to prevent accidental approvals.
Remote access tools, which are frequently exploited by attackers, should be tightly controlled.
This means auditing all usage, restricting installation to approved applications, and setting up real-time alerts for tools like AnyDesk and TeamViewer.
In addition, internal communication platforms such as Microsoft Teams and Slack must be secured, with strong authentication requirements, restricted guest access, and ongoing monitoring for unusual behaviour – like messages from inactive accounts or logins from new locations.
Employees should also be trained to question unexpected requests, even when they appear to come from trusted internal sources.
Since Scattered Spider has shown a keen interest in platforms like Snowflake, organisations should enforce role-based access controls, enable detailed activity logging, and monitor for anomalies like unusually large query volumes, implementing rate limiting where necessary.
Finally, resilience against ransomware depends on strong recovery practices: IT teams should maintain encrypted, offline backups stored separately from production systems and conduct regular restoration drills to ensure they can bounce back quickly if an incident occurs.
Bottom Line: Assume You’re a Target
Scattered Spider isn’t just exploiting code – they’re exploiting people, habits, and trust.
Their techniques combine technical skill with psychological manipulation, targeting IT teams, help desks, and internal communication tools to gain a foothold.
In this landscape, technical defences alone are no longer enough. Organisations must embrace a zero-trust mindset, implement multi-layered access controls, and prioritize user training as a frontline defence strategy.
Every MFA prompt, every password reset request, and every Slack message is a potential attack vector.
The best defence is ultimately vigilance – built on clear processes, hardened systems, and a security-aware culture.
