Microsoft has revealed the latest tactics of the cybercrime group Scattered Spider, highlighting their increasing focus on identity exploitation and the use of sophisticated social engineering techniques . The group, also known as Octo Tempest, has been observed using new tactics to gain access to cloud environments .
Typically, Scattered Spider uses cloud identity privileges to gain on-premises access . However, Microsoft said recent activities have involved initially targeting both on-premises accounts and infrastructure before transitioning to cloud access . The group has also been observed deploying DragonForce ransomware, with a particular focus on VMWare ESX hypervisor environments .
Microsoft's analysis indicates that Scattered Spider continues to use aggressive social engineering tactics to gain initial access, manipulating service desk support personnel . The group has also deployed SMS phishing using adversary-in-the-middle (AiTM) domains that mimic legitimate organizations . Most recently, the group has actively targeted airlines with ransomware and data extortion attacks . Between April and July 2025, its activity has targeted the retail, food services, hospitality organizations, and insurance sectors .
To address these developments, Microsoft is continuously updating its security products . The company highlighted its Microsoft Defender and Microsoft Sentinel security ecosystem, providing a wide range of detections to identify Scattered Spider-related activities . These detections span all areas of the security portfolio, including endpoints, identities, software as a service (SaaS) apps, email and collaboration tools, cloud workloads, and more, to provide comprehensive protection coverage .
Attacks can be disrupted using Microsoft Defender's built-in self-defense capability . This technology uses multiple potential indicators and behaviors, correlating them into a high-fidelity incident . Based on previous learnings from Scattered Spider attacks, attack disruption will automatically disable the user account used by the group and revoke all existing active sessions .
Microsoft has also enhanced the advanced hunting capabilities in Defender, helping organizations identify and ward off the group's more aggressive social engineering attacks on privileged individuals . Analysts can query across both first- and third-party data sources through Microsoft Defender XDR and Microsoft Sentinel, as well as gain exposure insights from Microsoft Security Exposure Management .
Scattered Spider is known for its ability to combine human deception with technical precision . The group often targets IT help desk personnel and privileged users through sophisticated phone-based attacks and impersonation . They also use SIM swapping and phone-based credential theft to bypass MFA . Despite arrests, the group remains active and adaptive, expanding its targets and tactics while maintaining its core identity-focused attack strategy .
Microsoft provides guidance for addressing Scattered Spider's tactics, techniques, and procedures (TTPs), as well as a broader ransomware initiative focused on reducing exposure to extortion attacks . This guidance includes core advice for managing cloud, endpoint, and identity security .