Scattered Spider and the New Blueprint for Cloud-Native, Endpoint-Evasive Cyberattacks

A series of high-profile cyberattacks targeting UK-based retailers, including Marks & Spencer and Co-Op, has re-ignited concern about the rise of cloud-native, identity-centric adversaries. As of now, there is no public, verified attribution linking these incidents to any known threat group. However, the tactics observed closely resemble those previously attributed to Scattered Spider – a financially motivated group confirmed to have targeted MGM Resorts and Ceasars Entertainment in 2023.  

These attacks offer a sobering reminder: traditional, endpoint-centric security models are no longer sufficient in the face of adversaries who operate entirely within cloud environments, exploit identity systems, and move with speed and fluency across infrastructure.

This post explores the anatomy of Scattered Spider’s operations, why legacy detection methods fail, and how behavioral analytics, identity correlation, and real-time anomaly detection are essential for modern security operations.

Who is Scattered Spider?

Scattered Spider is a financially motivated, English-speaking threat group that emerged around 2022 and became the most queried threat group of 2023. Known for its advanced social engineering capabilities and deep cloud expertise, the group bypasses traditional defenses by leveraging cloud-native tooling, identity federation misconfigurations, and living-off-the-land (LOTL) techniques.

Microsoft has labeled Scattered Spider as “one of the most dangerous financial cybercriminal groups,” and with good reason. They operate more like Red Teams than ransomware affiliates — blending stealth, speed, and technical depth to compromise environments without using traditional malware or triggering standard security controls.

Why This Threat Represents a Paradigm Shift

1. Language and Cultural Fluency

Unlike many ransomware operators, Scattered Spider’s members are fluent English speakers. This allows them to execute highly believable social engineering campaigns, including:

• MFA fatigue attacks, where users are bombarded with push notifications until one is accepted.
• Vishing campaigns, where attackers impersonate internal IT staff to extract credentials or manipulate help desks.

By mimicking legitimate business behavior, these attackers exploit trust in human processes — something static detections often miss.

Exabeam UEBA is a fundamentally different approach to threat detection. Exabeam creates a behavior baseline for all users which is then used to detect behavioral anomalies, such as unusual login patterns, time-of-day access, or geographic inconsistencies, even when credentials and devices appear valid.

2. Endpoint Avoidance and Cloud-Native Operations

Scattered Spider avoids traditional malware and endpoint compromises. Instead, they operate exclusively in the cloud, exploiting services like Azure, AWS, and Google Cloud Platform (GCP), and using legitimate tools such as:

• Azure CLI and PowerShell for command execution
• Azure Data Factory to exfiltrate data via sanctioned workflows
• Identity federation misconfigurations (e.g., AzureAD to Okta) for lateral movement

By remaining entirely in the control plane, these attackers evade EDR/XDR visibility and signature-based alerts.

Exabeam federated log ingestion and cloud identity analytics identify unusual cloud behavior, credential pivots, and privilege escalation across platforms.

3. Living-Off-the-Land and TTP Agility

Scattered Spider excels at LOTL techniques, which involve using native system tools to carry out their objectives without deploying malware. They modify their TTPs frequently, rendering signature-based detection ineffective.

In recent cases:

• Attackers leveraged PowerShell, scheduled tasks, and legitimate automation frameworks to avoid detection.
• Session token theft enabled access to user sessions without triggering MFA or login alerts.
• Data exfiltration was performed through approved channels, blending in with standard operations.

Exabeam behavior-based detections focus on usage patterns, command frequency, and deviation from historical baselines, providing visibility where traditional tools fall short.

4. Rapid Compromise and Lateral Movement

Perhaps most alarming is the speed at which Scattered Spider operates. In observed incidents, attackers progressed from initial access to full domain dominance in a matter of hours, exploiting:

• Identity federation misconfigurations for lateral movement across tenants
• Poor cloud segmentation and over-permissive roles
• Delayed or incomplete response workflows

Exabeam automatically builds identity-centric timelines that correlate activity across users, applications, and systems — enabling analysts to visualize an attacker’s path from phishing email to privilege escalation and exfiltration within hours, not days.

5. Collaboration with Ransomware-as-a-Service (RaaS)

While Scattered Spider functions as an initial access broker, they’ve been observed deploying BlackCat/ALPHV ransomware in later stages. BlackCat is:

• Written in Rust for speed and flexibility
• Modular and multithreaded
• Capable of double extortion via leak sites

But by the time ransomware is deployed, the damage is done. The real opportunity lies in catching precursors — which Exabeam surfaces through abnormal access to backups, unauthorized service creation, and file movement behavior before encryption begins.

The Broader Lesson: A Breakdown in Security Fundamentals

Scattered Spider succeeds not because they bypass sophisticated defenses, but because they exploit basic lapses in security hygiene. Among the recurring root causes:

1. Access Control Failures
   • Weak MFA enforcement and fatigue vulnerabilities
   • SIM swapping to bypass authentication controls
   • Inadequate protections around session tokens
2. Identity Federation Misuse
   • Trust abuse between Azure, Okta, and other providers
   • Poorly segmented roles and misconfigured SSO
3. Cloud Hygiene Gaps
   • Over-permissioned service accounts
   • Insufficient monitoring of cloud automation tools
   • Lack of alerting on identity plane anomalies
4. Endpoint Evasion
   • Avoidance of device compromise altogether
   • Operating entirely in the SaaS and cloud control planes
5. Speed of Execution
   • Entire intrusions executed in hours
   • Limited time to detect and respond using traditional tools

Why Exabeam Is Built for This

Scattered Spider’s tradecraft exposes the need for a new approach. Exabeam was designed from the ground up to understand behavior, correlate identity, and reconstruct timelines — even when attackers avoid traditional paths.

Exabeam empowers security teams with:

• UEBA and Insider Threat Detection
  Surfacing abuse of legitimate tools and accounts, even without malware.
• Cloud-Native Visibility
  Tracking identity behavior across Azure, AWS, GCP, and hybrid environments.
• Behavioral Correlation, Not Static Rules
  Detecting what shouldn’t happen based on the environment’s unique rhythm.
• Timeline-Based Investigation
  Connecting the dots from initial access to impact — revealing how, who, and how fast.

Conclusion: This Is Not an Outlier — It’s a Warning

Scattered Spider isn’t an anomaly — they’re a preview of what’s coming. As adversaries grow more fluent in cloud infrastructure, identity systems, and lateral movement, the attack surface expands beyond the reach of legacy controls.

Security teams must evolve from reaction to anticipation. From static rules to dynamic understanding. From siloed signals to unified context.

With Exabeam, organizations are equipped to do more than detect — they can understand, respond, and prevent. Because in a world where attackers blend in, context is everything — and behavior is the truth that lies beneath the noise.

Learn how UEBA detects threats like Scattered Spider that evade traditional tools in cloud-native environments.

Want to detect what legacy tools miss?

Dive deeper into how behavior-based detection works with our free resource, The Ultimate Guide to Behavioral Analytics. Learn how UEBA can uncover stealthy threats like Scattered Spider by focusing on anomalies in user and entity behavior — not static rules.