Skip to content
Breachroad
Back to the blog
Ransomware

Scattered Spider: the call that took down retail

In 2025 Scattered Spider paralysed UK retail. The weapon wasn't a 0-day but a helpdesk call. We break down the technique and the defence.

KR
Karol Rapacz
13 May 2025 · 10 min read
Scattered Spider: the call that took down retail

In spring 2025, UK retail experienced a wave of attacks that paralysed parts of the biggest chains’ operations for weeks. Marks & Spencer suspended online orders, Co-op faced empty shelves from supply-chain disruption, and Harrods restricted system access. The perpetrators — the Scattered Spider group (also known as UNC3944) — are linked to these attacks by one tool that is no 0-day at all: a call to the helpdesk. It’s the best possible lesson that the weakest link is still the process, not the technology.

Who Scattered Spider is

It’s a loose group of young, English-speaking attackers, skilled not in writing exploits but in social engineering. Their trademark is calling internal helpdesks and impersonating employees to reset a password or MFA. They previously made their name attacking the casino industry and tech; in 2025 they turned to retail, then insurance and aviation. For the final encryption they used off-the-shelf ransomware (the RaaS model) — supplying themselves the part they were best at: entry through a human.

Anatomy of the attack: from a call to encryption

The pattern is surprisingly repeatable and requires no “magic”:

  1. Reconnaissance. The attacker gathers, from LinkedIn and leaks, details of the employee they’ll impersonate and the helpdesk person they’ll call.
  2. The helpdesk call. “Hi, this is John from department X, I changed my phone and can’t log in, please reset my MFA.” A confident tone, knowledge of details, time pressure.
  3. The MFA reset. If the helpdesk resets the second factor without hard identity verification — the attacker registers their own device and logs in as the employee.
  4. Escalation and lateral movement. With account access, the attacker collects more credentials, targets Active Directory and critical systems.
  5. Encryption. After days of reconnaissance, ransomware is launched, often combined with data theft (double extortion).

Note: steps 4–5 are the classic ransomware chain. What’s new isn’t the finale but the entry — through a phone call, not a software flaw.

Why it works and how to defend

A helpdesk is designed to help — to quickly unblock locked-out people. The attacker exploits exactly that mission. The defence isn’t to make the helpdesk unhelpful, but to build hard gates into the reset process:

Identity verification via an independent channel. A password or MFA reset must not rely on information gatherable from the internet (date of birth, employee number). It needs video verification with an ID, confirmation via a manager, or a code from a trusted, previously registered device. For privileged accounts — the bar goes even higher.

Phishing-resistant MFA. Passkeys and FIDO2 keys don’t eliminate the reset-process attack, but they make abusing a hijacked account harder and reduce the number of “legitimate” reasons to reset.

Alerts on sensitive operations. Registering a new MFA method, a reset for a privileged account, a login from a new device right after a reset — these are signals that must reach your monitoring, not a void.

A refusal script for the helpdesk. The support team needs a clear, rehearsed list: what it never does over the phone, no matter how convincing and urgent the caller sounds. “I can’t do this over the phone, here’s the secure path” isn’t rude — it’s professional.

Social engineering exercises. The best test is a controlled attempt: call your own helpdesk (with permission) and check whether MFA can be reset without hard verification. It’s a standard part of our social engineering tests.

The wider context of 2025

Scattered Spider’s retail attacks are part of a bigger trend of the year: attackers increasingly choose the route through people and suppliers rather than through patchable flaws. It’s the same direction as the OAuth token theft or the interface manipulation in the Bybit heist. The common denominator: technology is often well secured, so the attack moves to process and trust.

Frequently asked questions (FAQ)

We’re not a retail chain. Does this apply to us? Yes — the technique is industry-neutral. Any organisation with a helpdesk that resets passwords and MFA is vulnerable to the same scenario. After retail, Scattered Spider attacked insurance and aviation with exactly the same method.

We have MFA. Isn’t that enough? MFA protects the login, but this attack targets the process of resetting it. If the helpdesk resets the second factor for someone who impersonated well, MFA is bypassed via a legitimate path. So you must secure not just the login but the recovery of access.

How do we verify identity at reset in practice? In layers, by account sensitivity: for ordinary accounts — a code from a registered device or a manager’s confirmation; for privileged ones — video verification with an ID and a second approver. The key: don’t rely on data findable on the internet.

Can we test this before a real attacker does? Yes, and you should. A controlled social engineering test aimed at the helpdesk shows exactly whether your reset process would survive such a call. It’s one of the most “cost-effective” tests — the gap is cheap to exploit and cheap to fix.

What to do immediately on suspecting such a breach? Treat it as an active incident: invalidate sessions and reset the suspected account’s credentials, check newly registered devices and MFA methods, review mailbox rules and sign-ins. With signs of lateral movement — start incident response before encryption happens.

Summary

Scattered Spider proved in 2025 that you don’t need a 0-day to take down a retail giant — a convincing helpdesk call and a weak MFA reset process are enough. The defence is equally “non-technical”: hard identity verification at access recovery, alerts on sensitive operations, a refusal script and regular exercises. If you want to know whether your helpdesk would survive such a call, we’ll test it — in a controlled way and with concrete findings.


Sources and further reading: NCSC UK.

Share this article

Services Book a consultation