Earlier this year, cybercrime group Scattered Spider orchestrated disruptive attacks across major UK retailers – M&S, Harrods, Co‑op – and quickly followed up with campaigns against U.S. brands like Victoria’s Secret, North Face, Dior and Cartier. Their methods were textbook social engineering: impersonating employees, triggering MFA fatigue, bypassing help desks, and gaining full access to internal systems.
Now, it appears insurers are in their crosshairs. In mid-June, Google issued an alert: multiple U.S. insurance firms have experienced breaches consistent with Scattered Spider’s signature playbook. John Hultquist of Google’s Threat Intelligence Group warned:
“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”
In one reported case, Erie Insurance detected unusual network activity in early June. Though investigations are ongoing, circumstances strongly align with Scattered Spider’s TTPs. Another Insurance giant, Aflac, reported a breach on Friday afternoon.
What makes this group so potent?
- Credential misuse over malware: In past attacks, including MGM Resorts and Caesars, they exploited stolen or phished credentials, not system vulnerabilities.
- Social engineering sophistication: They research internal staff, mimic accents, and manipulate help desks into bypassing MFA or resetting passwords.
- Targeting SaaS apps: They use stolen credentials to access and execute data theft from victims’ third-party SaaS applications.
- Sector-wide blitz execution: They strike multiple targets in a vertical simultaneously – casinos, retail, now insurance – before moving on.
This isn’t opportunistic hacking – it’s calculated, psychological warfare targeting trust. Once inside, they can pivot to cloud services, SaaS platforms, or identity systems, siphoning data or chaining into ransomware.
At Reveal Security, recent posts from our CEO Kevin Hanes showed how post-login blind spots in SaaS apps undermine detection. The same principles apply here: perimeter defenses fail when attackers use real credentials to log in as legitimate users. Visibility must extend beyond authentication events into behavioral identity signals in and across multiple SaaS applications.
So, what should security teams do?
- Defend the help desk: Enforce strict identity verification for password resets and MFA resets.
- Monitor post-login activity: Track identity behavior – both human and non-human – across SaaS and cloud, including Okta, Salesforce, AWS, Snowflake, insurance portals … any application that holds sensitive data.
- Correlate cross-application signals: Detect anomalous actions even within normal login flows.
- Train for deep social engineering: Simulate voice phishing, MFA fatigue scenarios, and help desk manipulations.
Scattered Spider is on the rise and they’re successfully exploiting a big gap at the intersection of identity, SaaS and cloud. At Reveal, we’re working with organizations to close the post-authentication visibility gap across SaaS and cloud infrastructure, because when attackers log in with stolen credentials, reactive security simply won’t cut it.
If your organization is considering bolstering your SaaS and cloud defenses, reach out and schedule a demo with one of our experts. We’re happy to show you how we are helping our customers solve this challenge.
