In September 2023, MGM Resorts International suffered a breach that disrupted operations across its Las Vegas properties for approximately 10 days, affecting hotel reservations, casino floor systems, digital room keys, and payment processing. The estimated cost exceeded $100 million. The initial access vector was a phone call.
A member of Scattered Spider , the threat group variously tracked as UNC3944 (Mandiant), Octo Tempest (Microsoft), Star Fraud, and Muddled Libra (Palo Alto) , called MGM's IT help desk, impersonated an employee (whose identity information was sourced from LinkedIn), and convinced the help desk agent to reset the employee's multi-factor authentication. With MFA control, the attacker gained access to the employee's accounts, escalated privileges through Okta and Azure AD, and deployed ransomware across MGM's infrastructure.
The same group, in the same timeframe, breached Caesars Entertainment through a similar social engineering approach. Caesars reportedly paid a $15 million ransom. In April-May 2025, Scattered Spider hit UK retailers , Marks & Spencer, Harrods, and others , causing an estimated £300 million in damage at M&S alone, using DragonForce ransomware deployed after identity-based initial access. By mid-2025, the group had shifted its targeting to the insurance sector, hitting Aflac, Erie, and Philadelphia Insurance with the same core playbook: help desk impersonation, MFA manipulation, and privilege escalation through identity infrastructure.
The consistency of the playbook across different sectors and different victims is the important observation. Scattered Spider is not exploiting software vulnerabilities. They are exploiting the gap between identity verification (confirming that a caller is who they claim to be) and identity assurance (establishing a level of confidence sufficient for the action being requested). Most organizations' help desk procedures optimize for employee satisfaction and operational speed, not for adversarial resistance.
Why Social Engineering Scales Now
Social engineering has existed for as long as there have been organizations to infiltrate. What makes Scattered Spider's approach qualitatively different from historical social engineering is the information environment and the identity architecture they operate in.
Reconnaissance is trivially cheap. LinkedIn profiles provide employee names, titles, reporting structures, and employment history. Press releases and SEC filings reveal organizational structures. Glassdoor reviews describe internal tools and processes. Corporate blogs name technologies. A competent reconnaissance effort can build a convincing impersonation profile for a specific employee in hours, using only public sources.
Help desks are designed for efficiency, not adversarial resistance. The performance metrics for help desk operations , average handle time, first-call resolution rate, customer satisfaction scores , all push toward resolving requests quickly with minimal friction. The procedures for verifying caller identity are typically based on knowledge factors (employee ID, manager name, department) that are obtainable through reconnaissance. The help desk agent is optimizing for speed and politeness, not for detecting a social engineer who has prepared for the call.
MFA enrollment and reset are the weakest link in the identity chain. An attacker who can cause an MFA reset controls the authentication factor that was supposed to protect the account. The MFA device is no longer "something the user has" , it is "something the attacker registered." From that point forward, every MFA prompt is confirmed by the attacker, and the account is fully controlled. The security model assumes MFA devices are bound to the legitimate user; the help desk reset flow is the mechanism by which that binding is severed.
Identity providers are high-value targets because they are authoritative. Okta, Azure AD, Google Workspace , these systems are the source of truth for identity across the organization. Compromising an identity provider does not just grant access to one application; it grants access to every application that trusts that provider. Scattered Spider's attacks consistently target identity infrastructure because the blast radius is maximal.
The Attack Pattern in Detail
The critical observation is that every step in this chain uses legitimate credentials and legitimate tools. There is no malware to detect. There are no vulnerability exploits to patch. There is no anomalous network traffic to flag. The attacker is authenticating with valid credentials, accessing systems through normal authentication flows, and performing actions that are within the permissions of the compromised identity. The "intrusion" is, from the system's perspective, a series of legitimate operations.
Why Traditional Defenses Fail
Endpoint security is irrelevant because the attacker is not on the victim's endpoint. They are authenticating remotely through the identity provider using their own device.
Network monitoring sees normal authentication traffic to Okta or Azure AD. The attacker is not scanning the network, not exploiting vulnerabilities, not communicating with C2 infrastructure (at least not until the later stages of the attack).
MFA is not bypassed , it is subverted. The attacker controls the MFA device. Every MFA challenge is correctly answered because the attacker registered the device. The system sees a valid MFA response and cannot distinguish it from the legitimate user's response.
Detection rules for brute-force attacks, credential stuffing, or known malware signatures have no signal to detect. The attacker logs in once, correctly, from a new device. At most, this might trigger a "new device" alert , if such an alert exists and if anyone triages it before the attacker has already escalated.
What Actually Raises the Cost of These Attacks
The defenses that work against Scattered Spider-style attacks are the ones that make social engineering materially harder or that reduce the blast radius when it succeeds:
Phishing-resistant MFA (hardware security keys, passkeys). A FIDO2 security key cannot be enrolled via a phone call. The enrollment requires physical possession of the key and interaction with a specific device. If the MFA recovery process requires the employee to physically visit the IT office with government-issued ID, the attacker's phone-based approach fails. This is operationally inconvenient , employees lose keys, remote employees cannot visit the office , but it eliminates the help desk MFA reset as an attack vector.
Scripted, multi-channel verification for sensitive help desk actions. MFA resets, password resets for privileged accounts, and enrollment changes should require verification through a channel the attacker is unlikely to control: a callback to the employee's registered phone number (not the number the caller provides), a confirmation through the employee's manager via a separate channel, or a video verification call. These procedures are slower than a simple knowledge-based check, and they will generate complaints from employees who want their problem solved immediately. That friction is the cost of adversarial resistance.
Conditional access policies that constrain identity-level blast radius. Even if an attacker compromises an employee's identity, conditional access policies can limit what that identity can reach: requiring a managed, compliant device for access to sensitive applications; restricting admin-role authentication to specific network locations or devices; requiring step-up authentication for privilege changes; and enforcing session limits that prevent long-lived access.
Identity-level anomaly detection. The signals that indicate a Scattered Spider-style compromise are identity-level, not network-level: MFA re-enrollment from a new device, followed by login from a new location, followed by access to applications the user has never used, followed by privilege escalation actions. These events are logged in the identity provider's audit trail. A detection rule that correlates "MFA reset" + "new device login" + "unusual application access" within a short time window can catch these attacks in progress , if the rule exists and if the SOC can respond quickly enough.
The Uncomfortable Operational Conclusion
Scattered Spider's success reveals a structural weakness in how most organizations think about security. The investment goes to technical controls , firewalls, endpoint protection, vulnerability management, encryption , while the identity layer receives comparative neglect. The help desk procedure has not been adversary-tested. The MFA enrollment flow was designed for employee convenience, not for resistance to impersonation. The identity provider's audit logs are collected but not actively monitored for the specific patterns that indicate social engineering.
The group will continue to be effective because the attack surface they exploit , human trust, organizational processes, identity infrastructure , is harder to secure than software. You can patch a CVE in a day. You cannot patch a help desk procedure, retrain a workforce, and deploy phishing-resistant MFA organization-wide in a day. The asymmetry favors the attacker: the social engineering playbook is cheap, repeatable, and effective across industries, while the defenses require sustained organizational change that most enterprises implement slowly, if at all.
The organizations that have successfully resisted Scattered Spider-style attacks are not the ones with the best firewalls. They are the ones where the help desk agent says "I need to verify this through a separate channel before I can reset your MFA," where the identity provider enforces device compliance for all access, and where the security team has detection rules that fire on identity-level anomaly patterns in real time. These are not technology problems. They are governance and operational discipline problems, and they are solved by treating identity infrastructure with the same security rigor that is applied to production code and network architecture.