Scattered Spider: The Evolving Threat Behind Help Desk and MFA Breaches
Scattered Spider has become one of the most concerning cyber threats to watch in 2025. Unlike traditional ransomware operators that exploit technical vulnerabilities, this group primarily bypasses security by targeting people. Their attacks often start with something as simple and as dangerous as a phone call. Members of Scattered Spider typically impersonate employees, calling help desks to convince staff to reset MFA or issue password changes. This lets them step neatly around complex security controls. What makes them especially formidable is their remarkable speed. Once inside, they escalate privileges, locate sensitive data, and can deploy ransomware within hours.
A Modern, Agile Adversary
Most of this group’s operators are young, English-speaking recruits who coordinate through gaming channels like Discord. They’re quick to spin up new phishing kits or malicious infrastructure, and they understand cloud environments intimately.
Tactics like “golden SAML,” SIM-swapping, and manipulating Azure are now standard parts of their toolkit which giving them a clear advantage over defences built mainly for older, on-premise attack models.
The impacts have been significant. In the UK, brands like Marks & Spencer and Harrods have been hit. In Australia, Qantas suffered a breach through its outsourced contact centre, exposing data from more than six million customers. In the US, casinos like MGM Resorts and Caesars faced multi-week operational disruptions and hundreds of millions in combined losses.
These breaches reveal how the real risk extends beyond IT infrastructure. They reach deep into customer confidence, brand reputation, and financial stability.
Why Traditional Detection Falls Short
No EDR, firewall or endpoint stack can stop an employee from handing over credentials. That’s why traditional security tools often fail to catch social engineering. The indicators are subtle: repeated MFA resets, strange login patterns, and an unusual vendor connection signals that are scattered across logs, often overlooked by stretched teams. For cyber threat intelligence teams, fusion analysts, SOC leads or CISOs, the question is: how do you connect these small dots before they explode into major incidents?
How Nexus Helps Teams Spot What Others Miss
Nexus platform is built to act as more than a passive monitoring system. It continuously pulls together your internal activity (like help desk resets, endpoint alerts, identity logs) and enriches it with live threat intelligence, known IOCs, DNS anomalies, and more. This means instead of sifting through isolated alerts, your teams see connected to which threats are tied to your specific vendor landscape, cloud footprint or employee access patterns.
It also simplifies reporting across personas. For a cyber threat analyst, Nexus surfaces TTP maps and correlates emerging campaigns. For CISOs, it builds top-level narratives showing the business impact of these threats, making board updates clearer and more data-driven.
The Next Frontier Protos AI
For new upcoming upgrade, we’re are working on Protos AI. Built as an agentic AI platform for cyber threat and risk management, it’s fundamentally different from typical large language models that simply respond to prompts.
Protos AI acts like an intelligent cyber analyst embedded in your environment. It’s equipped with its own knowledge base and out-of-the-box toolkit, and operates independently to plan, reason, and execute tasks. You don’t have to tell it every step. It understands objectives, figures out how to achieve them, then reports back with tailored findings.
For example, Protos AI can be deployed to:
- Collect and correlate threat intelligence across multiple sources, from known IOCs to dark web chatter and DNS anomalies.
- Enrich and analyse this data, applying frameworks like MITRE ATT&CK and linking emerging TTPs to your organisation’s unique exposure.
- Map external threats to actual business risks, assessing which vendors, cloud assets, or internal systems are most vulnerable.
- Generate risk and threat reports on demand, customised for security teams, executive committees, or underwriters.
It doesn’t stop at raw technical data. Protos AI tailors outputs for different stakeholders which can help risk analysts understand exposure profiles, supporting threat hunters with detailed campaign maps, or arming CISOs with strategic insights for the board.
Unlike general LLMs that wait passively for questions, Protos AI actively plans and executes multi-turn investigations. It knows which tools to call, how to pivot when new indicators arise, and how to escalate findings in a way that fits each audience.
Why Agentic AI is Different
As more organisations turn to AI to bolster defences, it’s important to distinguish between general large language models (LLMs) and what we’ve purpose-built at Protos Labs with Protos AI.
LLMs like ChatGPT are designed to answer questions and summarise data when prompted. They’re reactive, waiting for someone to tell them what to do. Protos AI is built differently. It’s an agentic AI platform that actively plans, reasons, and executes tasks like a junior cyber analyst. It combines advanced language models with memory, integrated tools, and autonomous decision-making logic, allowing it to continuously scan your environment, connect findings to live threat intelligence, and report back without needing explicit instructions for every step.
This means Protos AI doesn’t just generate static reports. It tracks MFA resets, unusual help desk behaviours, and access anomalies, linking them to known social engineering tactics which exactly the kind of playbook Scattered Spider uses. It’s like having a tireless analyst embedded in your operations, catching patterns before they escalate.
Looking Ahead
If you're interested in how Nexus can assist your team in identifying early patterns, or if you'd like to be among the first to know when Protos AI is available, we would love to have you with us. Sign up, explore, and let's discover what comes next together.
