Scattered Spider and Other Criminal Compromise of Outsourcing Providers Increases Victim Attacks

This Halcyon intelligence brief details Scattered Spider (UNC3944) leveraging compromises of BPO/MSP providers to gain broad lateral access to client environments, execute large-scale data exfiltration, and deploy ransomware across sectors (retail, insurance, aviation, etc.). The report maps the group’s lifecycle to MITRE ATT&CK—highlighting social engineering and insider recruitment, MFA and Intune abuse, BYOVD/EDR evasion, and use of cloud/file hosts for covert exfiltration—and issues prioritized mitigations such as enforcing phishing-resistant MFA, auditing third‑party access and logs, monitoring for cloned authentication flows, hardening identity infrastructure, and preparing tenant-lockout recovery playbooks.