CrowdStrike Services outlines the techniques used by SCATTERED SPIDER in attacks targeting the aviation, insurance, and retail sectors, and provides guidance to help organizations defend against this threat.
SCATTERED SPIDER, an eCrime adversary, has recently expanded its targeting to include the aviation sector, alongside its established focus on the insurance and retail industries, according to observations by CrowdStrike Services.
During Q2 2025, SCATTERED SPIDER primarily targeted U.S.-based insurance and retail companies, as well as U.K.-based retail entities. However, incidents in late June 2025 involving U.S.-based airlines revealed tactics, techniques, and procedures (TTPs) consistent with the group’s known operations.
Overview of SCATTERED SPIDER TTPs
In nearly all observed incidents in 2025, the adversary employed help desk voice-based phishing to compromise Microsoft Entra ID, single sign-on (SSO), and virtual desktop infrastructure (VDI) accounts. SCATTERED SPIDER operators consistently succeeded in impersonating legitimate employees by accurately answering help desk verification questions during calls made to request password or multifactor authentication (MFA) resets.
After gaining access to Entra ID, SSO, and VDI accounts, SCATTERED SPIDER typically pivots to integrated software-as-a-service (SaaS) applications. They leverage access to these platforms to locate data that can facilitate lateral movement – such as network architecture diagrams, VPN instructions, or files containing credentials- as well as to support extortion or other monetization efforts.
The adversary used help desk voice-based phishing in almost all observed 2025 incidents to compromise Microsoft Entra ID, single sign-on (SSO), and virtual desktop infrastructure (VDI) accounts. SCATTERED SPIDER operators routinely accurately respond to help desk verification questions when impersonating legitimate employees in calls made to request password and/or multifactor authentication (MFA) resets.
SCATTERED SPIDER typically pivots from compromised Entra ID, SSO, and VDI accounts to integrated software-as-a-service (SaaS) applications. They use access to these platforms to search for data that may enable lateral movement (such as network architecture diagrams, VPN instructions, or text files containing credentials), extortion, or other monetization activity.
Recent SCATTERED SPIDER activity has revealed several additional tactics, techniques, and procedures (TTPs), including:
- Active Directory (AD) Reconnaissance: The adversary conducted reconnaissance on on-premises systems using tools such as ADExplorer, ADRecon.ps1, and the Get-ADUser PowerShell cmdlet to gather domain information.
- VMware vCenter Exploitation: SCATTERED SPIDER leveraged access to VMware vCenter to create unmanaged virtual machines (VMs). They frequently attached domain controller virtual machine disks to these VMs to extract the ntds.dit Active Directory database for credential theft.
- Use of Legitimate Tunneling and Proxy Tools: The group installed various protocol-tunneling and proxy tools on VMware vCenter and their own VMs, including:
- Chisel (configured to communicate with
trycloudflare[.]comsubdomains) - MobaXterm
- ngrok
- Pinggy
- Rsocx
- Teleport
- Chisel (configured to communicate with
- Email Manipulation for Stealth: SCATTERED SPIDER manually deleted emails (using HardDelete, SoftDelete, and MoveToDeletedItems operations) and created mail transport rules (via Set-TransportRule) to delete or redirect alerts about suspicious account activity. In one instance, the adversary redirected such notifications to an attacker-controlled googlemail[.]com address.
- AWS Data Exfiltration: They used S3 Browser to enumerate and access victims’ AWS S3 buckets, as evidenced by AWS CloudTrail events like ListBuckets and ListObjects, and exfiltrated data to remote attacker-controlled S3 buckets.
SCATTERED SPIDER Assessment
SCATTERED SPIDER’s primary objective is to deploy ransomware within a victim’s VMware ESXi infrastructure. If the attack is contained before ransomware execution, the adversary often resorts to threatening to leak stolen data publicly and issues a ransom demand as part of a double extortion strategy.
This threat actor frequently targets multiple organizations within the same industry in a short period. However, their targeting is not strictly industry-specific. For example, CrowdStrike Services responded to a SCATTERED SPIDER incident involving a retail organization during a period when the group was primarily focusing on insurance sector entities.
Common Attack Methods
- Social Engineering: Engaging IT help desks and privileged users through sophisticated phone-based impersonation tactics.
- SIM Swapping & Credential Theft: Compromising victims’ mobile phone accounts to bypass SMS-based multifactor authentication (MFA).
- Abuse of Legitimate Remote Access Tools: Utilizing tools such as TeamViewer, AnyDesk, and others for persistent remote access.
- VMware Infrastructure Compromise: Gaining access to vCenter and ESXi environments to enable ransomware deployment.
- Cloud Lateral Movement: Exploiting cloud identity providers to move laterally across cloud environments.
- Data Exfiltration: Extracting sensitive data prior to ransomware deployment to enable double extortion tactics.
Common Targets:
- VMware vCenter and ESXi virtualization environments
- Cloud identity providers such as Azure AD/Entra ID, AWS IAM, Google Cloud Identity, and Okta
- Privileged access management systems and administrator accounts
- VPNs and remote access solutions
- Backup and recovery systems
- Help desk and IT support personnel
SCATTERED SPIDER’s advanced social engineering, rapid pivoting between environments, and multi-layered extortion techniques make it a persistent and formidable threat across industries.
CrowdStrike Customers: Enable Falcon Platform Features
CrowdStrike customers can strengthen their security posture by deploying priority log sources, activating correlation rules, and integrating cloud security. These actions help maximize detection capabilities, enhance visibility, and improve response times – all within the unified CrowdStrike Falcon® platform.
Falcon Next-Gen SIEM: Critical Log Source Integration
Endpoint customers must enable log ingestion connectors and the appropriate parser to ensure critical logs are properly ingested into CrowdStrike Falcon® Next-Gen SIEM for effective detection of compromise.
Highest Priority Logs to Ingest for Detecting SCATTERED SPIDER Activity:
- Microsoft Entra ID (Azure AD): For monitoring identity-based attacks, including suspicious logins and MFA changes.
- Virtual Desktop Infrastructure (VDI) Logs: To detect unauthorized access and abuse of virtual environments.
- VPN and Remote Access Logs: To identify unusual access patterns and potential lateral movement.
- VMware vCenter and ESXi Logs: For visibility into infrastructure compromise and unauthorized VM creation.
- Cloud Provider Logs (AWS, Azure, GCP): To detect exfiltration, IAM abuse, and cloud lateral movement.
- Email Gateway and Microsoft 365 Logs: To catch phishing, transport rule changes, and mailbox manipulation.
- Help Desk and Ticketing System Logs: To detect social engineering attempts and password reset requests.
Infrastructure Monitoring – Highest Priority Log Sources
To effectively detect SCATTERED SPIDER activity and other advanced threats, CrowdStrike recommends prioritizing the ingestion of the following infrastructure log sources into Falcon® Next-Gen SIEM:
- VMware vCenter and ESXi Logs
Essential for detecting manipulation of virtual infrastructure, such as the creation of unauthorized virtual machines, access to domain controller disks, and other signs of compromise. - Firewall Logs
Critical for identifying network-based attack patterns, lateral movement, unauthorized connections, and data exfiltration routes. - DNS Logs
Vital for spotting suspicious domain queries related to command-and-control (C2) infrastructure, tunneling, and potential data exfiltration attempts. - Web Proxy Logs
Used to monitor unusual or unauthorized web traffic that may indicate exfiltration, access to phishing sites, or other malicious behavior.
Enabling ingestion of these log sources and ensuring proper parsing and correlation in Falcon Next-Gen SIEM significantly enhances your ability to detect and respond to SCATTERED SPIDER and other threat actor behaviors.
Identity and Access Monitoring – Critical Log Sources
To enhance detection of identity-based attacks – especially those used by adversaries like SCATTERED SPIDER—CrowdStrike recommends ingesting the following log sources into Falcon® Next-Gen SIEM:
- SSO Platform Logs
Track authentication anomalies, such as unusual login patterns, geolocation mismatches, or login attempts from new devices—key indicators of credential compromise or session hijacking. - Entra ID (Azure AD) Sign-on and Audit Logs
Monitor for identity-focused attack techniques, including MFA fatigue, suspicious password resets, privilege escalation, and unusual administrative activity. - Privileged Access Management (PAM) Application Logs
Detect unauthorized use of privileged accounts, credential misuse, and abnormal access to high-value systems.
Ingesting and correlating these identity-related logs within Falcon Next-Gen SIEM provides deep visibility into attacker behaviors and supports early detection of compromise through identity misuse.
Cloud and SaaS Applications – Essential Log Sources
To detect and respond to adversary activity in cloud environments and software-as-a-service (SaaS) platforms, CrowdStrike recommends ingesting the following logs into Falcon® Next-Gen SIEM:
- AWS CloudTrail, Google Cloud Logs, and Azure Activity Logs
Monitor for cloud resource manipulation, unauthorized access, IAM policy changes, and suspicious configuration modifications that may indicate lateral movement or initial compromise. - Critical SaaS Application Logs
Enable logging for business-critical SaaS platforms (e.g., Microsoft 365, Salesforce, ServiceNow, Workday) to detect application-level threats, such as unauthorized data access, unusual login patterns, transport rule modifications, or data exfiltration attempts.
Integrating these cloud and SaaS logs with Falcon Next-Gen SIEM enhances visibility into attacker actions across hybrid environments and strengthens your ability to detect SCATTERED SPIDER’s common cloud-focused tactics.
Deploy Critical Correlation Rule Templates in Falcon® Next-Gen SIEM
To strengthen your monitoring and detection posture against advanced threats like SCATTERED SPIDER, deploying Correlation Rule Templates (CRTs) is essential. After enabling log ingestion, the following CRTs should be prioritized.
VMware Infrastructure Protection
Essential for detecting unauthorized virtual environment activity:
- VMware – vCenter
- Virtual Machine Created with Recently Uploaded ISO
- Sensitive Resource Search
- VMware – ESXi
- Successful Login to the ESXi Host Client Web Admin Interface
- New IP for SSH Login Detected
- SFTP Server Enabled
Entra ID Identity Protection
Crucial rules for detecting identity-related threats:
- Microsoft – Entra ID – Risky Sign-in
- Admin Deleted MFA Authentication Method
- Bulk Download User List
- Temporary Access Pass Added to User Account
- Global Administrator Role Assigned
Falcon Shield: Priority Integration Deployment
Falcon Shield, CrowdStrike’s cloud application security module, delivers real-time threat detection across SaaS and cloud platforms with preconfigured High and Medium severity alerts. To maximize its effectiveness:
Prioritize Integration With:
Core SaaS Applications
- Microsoft 365 Suite: Exchange, SharePoint, OneDrive, Teams
- Microsoft Defender: For security event correlation
- Google Workspace: Visibility into Google Cloud activity
Security Platform Integrations
- Enhanced Falcon Integration: For maximum native detection
- Zscaler Cloud Security: Secure web gateway & CASB visibility
- CyberArk PAM: Monitor privileged access and anomalies
Business-Critical Applications
- Snowflake: Detect unauthorized data access or exfiltration
- Workday: Monitor HR-related data access and changes
- GitHub: Track repository access and IP theft risks
- Confluence: Detect suspicious queries and content searches
- Salesforce: Monitor CRM activity and access patterns
Falcon Cloud Security: Comprehensive Cloud Visibility
Registering tenants and deploying asset collectors provides visibility into cloud-based threats and rogue asset creation.
Cloud Tenant Registration
- Register AWS, Azure, and Google Cloud tenants
- Enable automated alerting for suspicious resource creation
- Enforce continuous compliance monitoring
VMware Asset Inventory Collector
- Deploy to all vCenter devices
- Detect unmanaged or rogue VMs
- Track infrastructure changes and ensure automated asset classification
Proactive Hardening and Monitoring Recommendations
Identity Protection
- Enforce phishing-resistant MFA (avoid SMS-based MFA)
- Isolate privileged accounts
- Restrict help desk-initiated MFA enrollments
- Strengthen password reset procedures
Detection and Monitoring
- Continuously track:
- Authentication anomalies
- Admin actions
- Network traffic to critical systems
- Enable behavioral analytics and application usage monitoring
- Monitor for suspicious search terms and unusual data access
Infrastructure Security
- Secure and segment VMware environments
- Block unauthorized remote access tools
- Apply least privilege in cloud setups
- Disable legacy authentication protocols
Incident Readiness
- Maintain isolated, immutable backups
- Develop and test incident response playbooks
- Conduct regular threat simulations and assessments
- Train IT/help desk staff to identify and respond to social engineering attacks
Conclusion
A layered defense strategy using the CrowdStrike Falcon® platform, combined with foundational security hardening practices, significantly enhances protection against SCATTERED SPIDER and similar advanced adversaries. By enabling critical integrations, deploying priority rules, and proactively securing your identity, infrastructure, and cloud environments, organizations can reduce their exposure and respond more effectively to sophisticated threats.
Leave A Comment