Scattered Spider didn’t need zero-days, malware, or a government’s budget to bring a Fortune 500 company to its knees. They didn’t even need to break in. They just logged in.
We’ve long associated devastating cyberattacks with advanced persistent threats, custom tooling, and state-sponsored sophistication. But Scattered Spider’s wave of breaches paints a different picture. Today, all you need is a phone call, a LinkedIn profile, and a decent understanding of how enterprise IT support works. That, plus a little cloud access, and it’s game over.
The new playbook: Understand people, exploit the cloud
Scattered Spider – responsible for crippling operations at MGM Resorts, stealing millions of customer records from Snowflake clients, and wreaking havoc on major UK retailers – has proven just how much damage a few socially-savvy attackers can do.
What’s remarkable isn’t just the scale of their attacks; it’s how unsophisticated their tactics appear on the surface. They didn’t need exploits. They didn’t write malware. They called the help desk, posed as employees, and asked for password resets or MFA removal. And it worked -over and over again.
Once inside, they leveraged cloud platforms like Okta, AWS, and Snowflake to move fast, pivot laterally, and exfiltrate massive datasets. Their ransomware operations often came later – an exclamation point on an already successful heist.
They didn’t bypass the perimeter. They sidestepped it. And they exploited a critical reality: cloud environments often lack the logging, detection, and response capabilities that traditional on-prem networks have spent decades developing.
In many of these breaches, attackers used valid credentials to access SaaS or cloud environments and then quietly exported data. No malware. No alerts – because no one was watching the cloud that closely.
Enter GenAI: Making the social part even easier
Now imagine that level of damage in the hands of a machine who doesn’t even need to understand people.
That’s where generative AI comes in.
Social engineering used to require charisma, research skills, and some creativity. With large language models, anyone can generate hyper-realistic phishing emails, craft convincing employee impersonations, and even simulate IT support chat scripts.
You can feed ChatGPT a job title and LinkedIn profile, and get a tailored attack scenario complete with pretext and rebuttals to common objections.
Need a fake login page for your target’s SSO portal? GenAI can help there too.
Voice cloning tools are getting so good that a deepfaked voicemail from the CIO asking to “urgently approve that MFA reset” is just a weekend project for a motivated teenager.
We’re rapidly entering a world where anyone – with minimal technical skill – can launch attacks with the social sophistication of an elite red team. And they can do it at scale.
So what now?
We have to stop thinking of breaches as extraordinary failures of our defenses. Today, they’re simply part of operating in a connected, cloud-first world.
If a determined attacker with a good story can trick your help desk into resetting a global admin account, you can’t pretend your security controls are impenetrable. That illusion is gone.
Instead of trying to prevent every breach, we need to invest more in minimizing impact, detecting early, and responding fast enough to stop attackers before exfiltration or ransomware deployment.
Here’s what that looks like:
- Visibility in cloud and SaaS is non-negotiable
You can’t defend what you can’t see. Make sure your identity provider, cloud platforms (AWS, Azure, GCP), and SaaS apps (M365, Okta, Salesforce, Snowflake, etc.) are all feeding logs into your detection stack. That includes login events, admin actions, privilege changes, and data access patterns.
- Assume they’re already in and watch for movement
If you’re only looking for perimeter breaches, you’re already late. Monitor for behaviors that signal post-login activity: privilege escalation, anomalous file access, new federation configurations, unusual MFA resets. This is where the breach becomes a compromise.
- Use GenAI defensively, too
Attackers are using AI-so should you. Feed your cloud logs into AI-driven anomaly detection engines that can flag weird behavior faster than a human. Use AI to surface patterns across identity, activity, and access data. It’s not about replacing humans-it’s about equipping your team to make faster, smarter decisions when seconds count.
- Secure the human layer
Train your team like they’re your crown jewels-because they are. Add strong authentication for support processes, create protocols that don’t rely on caller ID or urgency, and audit every reset or MFA change for privilege abuse. Use phrases like “internal reset code” or out-of-band approval to create friction for attackers.
Final thought
The lesson from Scattered Spider is not just that cloud and identity are the new frontiers for attackers. It’s that you don’t have to be highly sophisticated to cause highly sophisticated damage. When visibility is poor, credentials are gold, and cloud platforms are wide open, even mid-tier attackers can achieve top-tier results.
And now, with GenAI lowering the bar even further, everyone has access to attacker-level creativity.
You won’t stop every breach. But you can stop it from becoming a crisis.
