Executive summary

“Scattered Spider” (aka UNC3944 / Muddled Libra / Octo Tempest) is the most consequential identity-centric threat cluster in recent memory. Their hallmark is human-layer intrusion: calling helpdesks, abusing MFA workflows, SIM-swapping numbers, adding new factors, and riding newly granted admin privileges into SSO/IDPs and cloud control planes. Recent joint advisories (FBI/CISA + Five Eyes) and vendor reporting confirm escalating TTPs, including broadened ransomware partnerships, Snowflake-scale data theft, and continued social-engineering of IT support. TechRadar+3CISA+3CISA+3

This guide gives you two things:

1. a concise map of Scattered Spider’s latest IAM tradecraft, and

2. a copy-ready zero-trust response plan—identity controls to turn on, detections to deploy today, and a 72-hour hardening sprint your SOC can run immediately.

Threat actor snapshot (what’s known & stable)

• Aliases: Scattered Spider (CrowdStrike: SCATTERED SPIDER / UNC3944), Palo Alto Unit 42: Muddled Libra, Microsoft: Octo Tempest. Same broad cluster of financially motivated operators specializing in social engineering and identity compromise. CrowdStrike+2Unit 42+2

• Signature tradecraft: Helpdesk social-engineering to reset passwords or enroll new MFA; MFA push fatigue; SIM-swap to intercept OTPs; quick escalation to IDP/admin; data theft and double-extortion (often with partner ransomware crews such as ALPHV/BlackCat or others). CISA+2AP News+2

• High-profile impacts: 2023 casino breaches (MGM, Caesars) driven by support-desk social engineering, with material business disruption and eight-figure costs; regulators continue to probe impacts. AP News+2AP News+2

• 2025 updates: Joint advisory notes ongoing campaigns through June 2025; reporting highlights new payloads (e.g., RATtyRAT), added ransomware variants, and expanded sector targeting (aviation, insurance, retail). CISA+2TechRadar+2

The identity kill chain (how they win)

Think: people + policy weaknesses more than zero-days.

1. Recon & target selection: LinkedIn/OSINT to identify employees and helpdesk workflows; harvest numbers, internal jargon, ticketing systems. (Observed across 2023–2025 cases.) Specops Software

2. Initial access (human-layer):

   • Helpdesk impersonation to reset password or add a new MFA factor.

   • MFA fatigue until a push is approved out of confusion.

   • SIM-swap with the carrier to re-enroll factors or intercept SMS/voice OTPs. CISA+1

3. Privilege escalation: Flip IDP/SSO admin toggles, add themselves to privileged groups, change MFA policies, register new OAuth apps/service principals, and mint high-scope tokens. (Multiple vendor IR write-ups.) CrowdStrike+1

4. Lateral movement & persistence: Install legitimate RMM tools, create backdoor accounts, seed forwarding rules, persist via new factors/devices, or long-lived OAuth tokens. (Common across IRs.) Unit 42

5. Impact: Rapid data theft (cloud storage, SaaS, data warehouses) and extortion; when convenient, deploy partner ransomware, targeting ESXi and business-critical systems. TechRadar

The Zero-Trust Response Plan (that actually holds up)

1) Identity controls to enforce now

Phishing-resistant MFA only for admins

• Enforce FIDO2/WebAuthn or platform authenticators for all privileged roles.

• Disable voice/SMS for admins; restrict push factors to number matching with geolocation and rate-limit. (Recommended by CISA/FBI partners.) CISA

Helpdesk hardening (break the social-engineering loop)

• No password/MFA resets based solely on what the caller knows. Require call-back to a HR-verified number, plus an out-of-band hardware-key proof or manager approval recorded in the ticket.

• Script denial language and escalation path for urgency plays. (MGM/Caesars lessons learned.) AP News

SIM-swap resilience

• Remove phone numbers from admin recovery.

• Use corporate eSIM with carrier port-out PIN and enterprise protections; monitor MDM for SIM/IMEI changes. (Agency guidance.) CISA

Least-privilege & JIT

• Make every admin role eligible/JIT (PIM-style) with approval, MFA, reason, and time-box.

• Rotate break-glass procedures; store offline; audit exemptions quarterly. (Vendor guidance corroborates.) Microsoft

Session & token defense

• Shorten sign-in frequency and revoke refresh tokens on risk changes; enable Continuous Access Evaluation-like features where available; alert on new OAuth apps/consents. Microsoft

2) Detections that matter (paste-ready ideas)

A) SSO/IDP admin abuse

• Okta System Log: watch for

  • user.mfa.factor.deactivate, user.mfa.factor.update, system.mfa.factor.activate

  • policy.rule.update, system.email.reset_token.sent

  • app.oauth2.client.create, app.oauth2.as.update (suspicious or high-scope OAuth apps) CrowdStrike

• Microsoft Entra (Azure AD) — KQL (Sentinel)

// New MFA methods or admin role activations from unusual sources
AuditLogs
| where OperationName in ("Add strong authentication method", "Activate eligible role","Update application")
| extend IP = tostring(InitiatedBy.user.ipAddress)
| summarize count(), Actors=make_set(InitiatedBy.user.userPrincipalName) by OperationName, IP, bin(TimeGenerated, 1h)
| join kind=leftanti (
    ExternalData(name:string,ip:string) // your known admin IPs/devices
) on $left.IP == $right.ip

(Use Defender/Sentinel coverage for Octo Tempest behaviors per Microsoft.) Microsoft

B) MFA fatigue & policy tampering

• CrowdStrike NG SIEM pattern (logic idea): cluster many push challenges followed by policy change or factor add for the same user; treat as high-fidelity. CrowdStrike

C) SIM-swap signals

• Correlate phone/MFA factor change + new device enrollment + helpdesk ticket within 60 minutes. (CISA advisory technique set.) CISA

D) Cloud exfil paths & staging

• Alert on new MEGA/S3 destinations from corporate egress; sudden BigQuery/Snowflake large exports followed by external uploads. (Recent advisory notes.) TechRadar

3) Network & data protections that blunt damage

• Private-by-default access to SaaS/IaaS data; block unknown egress and enforce DNS logging.

• Object-lock / immutability on audit logs and backups to preserve forensics and recovery.

• Just-enough-admin jump paths; disallow direct admin from travel/VPN except via checked, device-bound channels.

• Label & gate data; route access through brokered paths tied to device posture + risk signals.

4) The 72-hour hardening sprint (runbook)

Hour 0–6: Contain identity risk

• Disable voice/SMS for admins; force WebAuthn/FIDO2 on Tier-0 roles.

• Lock helpdesk resets behind call-back + second-factor hardware proof.

• Turn on impossible-travel, MFA-fatigue, and new-OAuth-app analytics in SIEM.

Hour 6–24: Close persistence & tokens

• Audit IDP/SSO admins, app consents, service principals, MFA enrollments; remove unknowns.

• Revoke refresh tokens org-wide for impacted tenants; shorten token lifetimes.

• Inventory RMM tools; quarantine unapproved ones.

Day 2: Egress + data exfil

• Block unsanctioned exfil endpoints (MEGA, anon file-shares) at proxy/DNS; add detections.

• Enable object-lock on security logs; snapshot volatile SaaS admin pages.

Day 3: Prove it

• Table-top: helpdesk social-engineering + admin MFA reset.

• Measure: time to detect, time to block, time to recover account and sessions.

(These moves mirror joint-advisory recommendations updated through June 2025 and recent vendor coverage.) CISA+2CrowdStrike+2

5) Cloud-specific quick wins

Okta

• Require phishing-resistant enrollments for admins (FastPass + device assurance or FIDO2).

• Admin console network zones; deny resets without approved context; alert on Super Admin grants. The Hacker News+1

Microsoft Entra / Azure

• PIM everywhere, CA for compliant device on privileged roles, number-matching and sign-in frequency for sensitive apps; Sentinel analytics per Microsoft’s Octo Tempest guidance. Microsoft

Google Cloud / Workspace

• Block legacy 2SV for admins; require security keys; monitor OAuth app creation and domain-wide delegation; Chronicle/SCC detections for identity anomalies. (Cross-vendor guidance consistent.) Unit 42

6) Incident response cues 

• Treat helpdesk tickets as evidence; preserve recordings and chat logs.

• Snapshot IDP admin pages (roles, factors, apps) immediately; export audit logs.

• Assume token theft: reset secrets, revoke sessions, rotate app creds.

• Prepare extortion-resilient comms: do not negotiate via attacker-provided channels.

7) Red & blue interplay 

• Red-team helpdesk scripts (no-reset rules, challenge phrases).

• Blue-team detections as code: versioned KQL/SPL/Chronicle rules; tie to runbooks.

• Quarterly access reviews: admins, break-glass, OAuth apps, device trust lists.

• Board-level metric: % of admins on phishing-resistant MFA, mean time to revoke sessions, time to remove rogue MFA factors.

Sources & further reading

• CISA, FBI & international partners: Updated Scattered Spider advisory (TTPs through June 2025). CISA

• CISA/FBI 2023 PDF baseline on social engineering + IAM abuse. CISA

• Microsoft (2025): Protection coverage & hardening guidance vs Octo Tempest. Microsoft

• CrowdStrike (2025): Recent sector targeting & defense guidance; Okta MFA-fatigue rule examples. CrowdStrike+1

• Unit 42 / Palo Alto (2025): Muddled Libra evolution & defensive recommendations. Unit 42

• MGM / Caesars context (AP, Reuters). AP News+2AP News+2

• Okta: 2023 incident wrap-up; prior warnings re: super-admin targeting. Okta Security+1

• Press summaries of new ransomware/tooling (RATtyRAT, DragonForce) & exfil methods. TechRadar