Microsoft has highlighted Scattered Spider’s evolving tactics and confirmed that the group has been observed using new tactics to gain access to cloud environments.
Typically, the group, tracked by Microsoft as Octo Tempest, uses cloud identity privileges to gain on-premises access.
However, Microsoft said recent activities have involved impacting both on-premises accounts and infrastructure at the initial stage of an intrusion before transitioning to cloud access.
The group has also been observed deploying DragonForce ransomware. The analysis by the tech giant highlights that the ransomware deployment had a particular focus on VMWare ESX hypervisor environments.
The group continues to use aggressive social engineering tactics to gain initial access through manipulation of service desk support personnel.
The group has also deployed SMS phishing using adversary-in-the-middle (AiTM) domains that mimic legitimate organizations.
Most recently, the group has actively targeted airlines with ransomware and data extortion attacks. Between April and July 2025 its activity has targeted the retail, food services, hospitality organizations and insurance sectors.
Read more about Scattered Spider: Scattered Spider Actively Targeting Airlines, FBI Warns
Microsoft Updates Security Products to Keep Pace
Microsoft said its security products continue to update protection as Scattered Spider’s tactics continue to evolve.
Namely, the company highlighted its Microsoft Defender and Microsoft Sentinel security ecosystem.
Microsoft highlighted a wide range of detections within Microsoft Defender to identify Scattered Spider-related activities. These are across all areas of the security portfolio including endpoints, identities, software as a service (SaaS) apps, email and collaboration tools, cloud workloads and more to provide comprehensive protection coverage.
Attacks can be disrupted by using Microsoft Defender’s built-in self-defense capability. Attack disruption uses multiple indicators and behaviors and correlates them across the Microsoft Defender workloads into a high-fidelity incident.
Microsoft said, based on previous learnings from popular Octo Tempest techniques, attack disruption will automatically disable the user account used by Octo Tempest and revokes all existing active sessions by the compromised user.
However, it remains critical that security operations center (SOC) teams conduct incident response and post-incident analysis to ensure the threat is fully contained and remediated after successful disruption.
Proactive Defense Against Scattered Spider
Microsoft highlighted a number of tactics security teams can use through its Security Exposure Management solution to proactively protect against Scattered Spider.
Deployed correctly, proactive tactics can reduce exposure and mitigate the impact of hacker’s hybrid attack tactics.
These include critical asset protection, threat actor initiatives and attack path analysis.
Microsoft recommended that organizations enhance their identity, endpoint and cloud security measures through, but not limited to, multi-factor authentication (MFA), risk-based sign-in policies and least-privilege access for users and devices.
