CTI Swarm
Zurück zu allen Deep Dives
CROWDSTRIKE

Inside Scattered Spider's 2026 helpdesk-social-engineering playbook

Strategische Zusammenfassung

CrowdStrike Services details Scattered Spider's 2026 evolution: voice cloning combined with LinkedIn-sourced context lets the actor talk helpdesks into MFA resets in 4 of 5 observed cases. Persistence shifts to Azure AD app registrations that survive password resets. The defining control is procedural — video calls + manager-verified OOTPs for resets, validated to reduce success rate to zero in red-team retests.

Key Findings

  • Voice cloning + LinkedIn Sales Navigator data is the 2026 social-engineering upgrade.
  • Helpdesk MFA reset succeeded in 4 of 5 observed Scattered Spider intrusions.
  • Persistence via Azure AD app registrations survives password resets.
  • Mean dwell time: 8.3 days from helpdesk call to data staging.
  • Procedural fix (video + manager-OOTP) reduced reset success to zero in red-team retests.

Volltext

Scattered Spider (UNC3944) continues to refine its helpdesk impersonation tradecraft. In five recent CrowdStrike Services engagements, the actor obtained initial access by phoning English-speaking IT helpdesks pretending to be a senior employee locked out of their account. In four of five cases, the helpdesk reset MFA without secondary verification.

What changed in 2026: the actor now combines voice cloning with stolen org-chart data from LinkedIn Sales Navigator subscriptions. They open the call by referencing recent internal events — board meetings, layoffs, product launches — pulled from press releases or social media to manufacture trust.

Once inside, Scattered Spider rapidly stages a Citrix/VDI break-out using off-the-shelf tooling. Persistence is established through Azure AD application registrations with delegated mail and file permissions, which survive most password resets. Mean dwell time in the five engagements was 8.3 days.

The single highest-leverage control is helpdesk procedure: require a video call and a one-time verification token mailed to the manager's known device before any account reset. Implementing that change alone reduced successful resets to zero in two follow-up red-team exercises.