During a recent incident response engagement for a major ITES firm based in Bengaluru, I observed a breach that bypassed a multi-layered MFA implementation in under 15 minutes. The threat actor, identified as UNC3944 (commonly known as Scattered Spider), did not use a zero-day exploit or a complex buffer overflow. Instead, they weaponized the human element of the identity perimeter, specifically targeting the help desk and the inherent weaknesses of push-based authentication.
Who is Scattered Spider (UNC3944)?
Scattered Spider is a financially motivated threat group that has gained notoriety for its sophisticated social engineering and identity-centric attacks. Unlike traditional ransomware groups that rely on phishing attachments or RDP brute-forcing, UNC3944 focuses on gaining persistent access to identity providers (IdPs) like Okta and Azure AD. They are native English speakers, which allows them to bypass traditional language barriers during social engineering calls.
I have observed this group targeting Indian enterprises by exploiting the high-volume nature of local IT support centers. In these environments, help desk agents are often measured by ticket resolution speed, creating a pressure cooker where security verification protocols are frequently bypassed to meet KPIs.
The Shift from Technical Exploits to Identity-Based Attacks
The evolution of Scattered Spider marks a definitive shift in the threat landscape. We are seeing a move away from malware-heavy campaigns toward "living-off-the-cloud" techniques, a trend that mirrors several vulnerabilities highlighted in the OWASP Top 10. By compromising a single set of credentials and an MFA token, the attacker gains access to the entire SaaS ecosystem of an organization, including Slack, GitHub, and AWS.
In the Indian context, this is particularly dangerous. Many firms have rapidly migrated to hybrid cloud environments but have left legacy authentication protocols active for older on-premise applications. Scattered Spider exploits this "identity debt" to find the path of least resistance.
Defining MFA Bypass in the Context of Modern Cybercrime
MFA bypass is no longer just about stealing a six-digit OTP. It encompasses a range of techniques designed to either trick the user into authorizing a login or trick the system into thinking the MFA requirement has already been met. Scattered Spider uses a combination of session hijacking, adversary-in-the-middle (AiTM) kits, and social engineering to render traditional MFA useless.
Core Tactics: How Scattered Spider Bypasses MFA
The group's primary strategy revolves around the "Identity Perimeter." They understand that if they control the identity provider, they control the enterprise. We have tracked their use of several distinct bypass vectors that are highly effective against standard corporate security stacks.
Social Engineering and Help Desk Impersonation
This is the group's signature move. An attacker calls an organization’s help desk, often using a spoofed VoIP number to appear as if they are calling from an internal extension or a local Indian mobile number. They claim to be an employee who has lost their phone or is having trouble with their MFA device.
The attacker often gathers reconnaissance from LinkedIn or internal directories to provide the help desk agent with "proof" of identity, such as an employee ID or manager's name. I have seen cases where the attacker successfully convinced an agent to register a new hardware token—controlled by the attacker—to the victim's account.
MFA Fatigue Attacks (Push Bombing)
If the attacker already has the user's password (often obtained from previous credential stuffing or a phish), they will trigger dozens of MFA push notifications to the victim's mobile device. This usually happens late at night or during a busy workday. The goal is to annoy the user into tapping "Approve" just to stop the notifications.
In many Indian enterprises, Microsoft Authenticator is the standard. Without "Number Matching" enabled, the user only sees an "Approve" or "Deny" prompt. Scattered Spider relies on this lack of context to gain entry.
SIM Swapping and SMS Interception Techniques
Despite constant warnings from CERT-In, many Indian financial and IT services still rely on SMS-based OTPs. Scattered Spider targets local telecom providers like Airtel, Jio, and Vodafone-Idea. They use social engineering at the retail store level, bribing or tricking employees into porting a victim's phone number to a SIM card in the attacker's possession.
Once the SIM is swapped, the attacker receives all SMS-based MFA codes directly. This bypasses the need for any interaction with the victim and provides a direct path into corporate VPNs or email accounts.
Adversary-in-the-Middle (AiTM) Phishing Kits
We have seen UNC3944 deploy Evilginx2 to intercept session cookies in real-time. This is not a standard phishing site that just steals passwords; it acts as a proxy between the victim and the legitimate login page (e.g., portal.office.com). For security teams, detecting MFA proxy bypass attempts requires monitoring for unusual session cookie attributes.
Deploying Evilginx2 to capture session tokens
sudo ./evilginx2 -p ./phishlets/ -c config.yaml -t 127.0.0.1
When the victim enters their credentials and MFA code on the proxied site, Evilginx2 captures the authenticated session cookie. The attacker then injects this cookie into their own browser, bypassing the MFA requirement entirely because the session is already "authenticated."
High-Profile Case Studies: MFA Bypasses in Action
The effectiveness of these tactics is best demonstrated by the breaches of MGM Resorts and Caesars Entertainment in late 2023. These were not failures of firewall technology; they were failures of identity verification.
The MGM Resorts and Caesars Entertainment Breaches
In the MGM case, the attackers reportedly found an employee's information on LinkedIn and called the help desk to request an MFA reset. This simple 10-minute phone call allowed them to deploy ransomware across the resort's infrastructure, causing hundreds of millions of dollars in damages.
Caesars, on the other hand, reportedly paid a significant ransom (estimated around ₹125 Crore or $15 million) to prevent the release of stolen data. The entry point was again a social engineering attack against an outsourced IT support vendor.
Exploiting Okta Environments and Identity Providers
Scattered Spider has a deep understanding of Okta’s internal workings. In several campaigns, they targeted Okta customers by compromising the accounts of highly privileged administrators. Once they gain "Super Admin" rights, they can disable MFA for specific users or add their own malicious identity providers to the trust list.
Lessons Learned from Recent Campaigns
- Help desks are the weakest link in the MFA chain.
- Session tokens are more valuable than passwords.
- Outsourced IT support must be held to the same identity standards as internal teams.
Technical Breakdown of Identity Perimeter Breaches
To defend against these attacks, we must look at what happens after the initial bypass. The attacker's goal is to move from a standard user account to a high-privilege administrative role.
Session Token Theft and Cookie Hijacking
Once a session token is stolen via AiTM, the attacker uses it to query the Microsoft Graph API or Okta API. I have monitored attackers using stolen tokens to enumerate the entire tenant's user list and identify potential targets for privilege escalation.
Using a stolen session token to query user details via Graph API
curl -v -X GET https://graph.microsoft.com/v1.0/me -H "Authorization: Bearer [STOLEN_SESSION_TOKEN]"
This allows the attacker to operate within the "trusted" session, making their activities appear as legitimate user traffic to most basic monitoring tools.
Exploiting Legacy Authentication Protocols
Many Indian enterprises maintain hybrid environments where Azure AD is synced with on-premise Active Directory. Attackers often target legacy protocols like POP3, IMAP, or SMTP, which do not support modern MFA. By using an NTLM relay attack (CVE-2024-21410), which is documented in the NIST NVD, they can escalate privileges within the hybrid environment.
Enumerating authentication methods for a target user in Azure AD
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/[ID]/authentication/methods"
Privilege Escalation Post-MFA Bypass
After the initial entry, Scattered Spider often deploys remote monitoring and management (RMM) tools to maintain persistence. To mitigate the risk of unauthorized RMM usage, organizations should transition to a browser based SSH client that provides granular, audited access to infrastructure without exposing open ports.
Silent installation of AnyDesk for persistent remote access
msiexec.exe /i "AnyDesk.msi" /qn /norestart
Why Traditional MFA is Failing Against Scattered Spider
The industry has long touted MFA as a silver bullet, but the tactics of UNC3944 prove that not all MFA is created equal. The reliance on "something you have" is flawed when "what you have" can be intercepted or social engineered away.
The Weakness of SMS and Voice-Based Codes
SMS-based MFA is fundamentally broken. Between SIM swapping, SS7 vulnerabilities, and simple social engineering of telecom staff, it provides a false sense of security. In India, where mobile-first workflows are the norm, this vulnerability is amplified.
Human Error: The Achilles' Heel of Push Notifications
Push notifications rely on a split-second decision by a human. When an employee receives a push at 3:00 PM on a Friday, they often click "Approve" without thinking. Scattered Spider exploits this cognitive load. Without the context of where the login is coming from (e.g., an IP address in Russia or a different city in India), the user has no data to make a safe decision.
The Limitations of Standard TOTP
While TOTP (Time-based One-Time Passwords) like Google Authenticator are better than SMS, they are still vulnerable to AiTM phishing. If an attacker can trick a user into entering the six-digit code into a proxied site, the attacker can use that code immediately to establish a session.
Mitigation Strategies: Defending Against Scattered Spider
To counter a group as agile as Scattered Spider, Indian enterprises must move beyond "compliant" security and toward "adversarial" security. This requires hardening the identity stack and the human processes surrounding it.
Transitioning to Phishing-Resistant MFA (FIDO2/WebAuthn)
The only definitive way to stop AiTM and social engineering bypasses is to implement FIDO2-compliant hardware keys (like YubiKeys) or platform authenticators (Windows Hello, Apple TouchID). These methods use public-key cryptography to ensure that the credential is only valid for the specific website it was created for.
Implementing Strict Help Desk Verification Procedures
Enterprises must overhaul their help desk workflows. I recommend the following:
- Vouching: Require a manager to join a video call to verify the identity of an employee requesting an MFA reset.
- Callback Verification: Never trust the incoming caller ID. Call the employee back on a registered corporate number.
- Pre-Shared Secrets: Use non-guessable, non-public information for verification (not employee IDs or DOBs).
Hardening Okta and Azure AD Configurations
You must explicitly block legacy authentication. If your environment requires POP3 or IMAP, it is a vulnerability that Scattered Spider will find. Use Conditional Access policies to enforce strict requirements.
{ "displayName": "Block Legacy Auth - Anti-Scattered Spider", "state": "enabled", "conditions": { "clientAppTypes": ["exchangeActiveSync", "other"], "applications": {"includeApplications": ["All"]}, "users": {"includeUsers": ["All"]} }, "grantControls": { "operator": "OR", "builtInControls": ["block"] } }
Behavioral Analytics and Impossible Travel Detection
Monitor for "Impossible Travel" alerts. If a user logs in from Mumbai and then 10 minutes later from an IP associated with a known VPN provider used by UNC3944, the session should be automatically terminated. Implementing advanced threat detection and log analysis is essential for identifying these anomalies in real-time. Under the DPDP Act 2023, failing to implement such reasonable security safeguards could lead to significant penalties for Indian firms if a breach occurs.
The Future of Identity Security and Zero Trust
The era of the "trusted network" is over. Scattered Spider has proven that once an attacker is inside the identity perimeter, the internal network offers little resistance.
Moving Beyond Passwords and Push Notifications
We must move toward a passwordless future where identity is verified through biometric hardware and device health checks. A device should not be allowed to authenticate unless it is managed by the corporate MDM and has a healthy EDR status.
The Role of Continuous Adaptive Trust
Identity should not be a one-time check at login. Continuous Adaptive Trust (CAT) monitors the session's risk level throughout its duration. If a user suddenly starts downloading unusual amounts of data or accessing sensitive HR records they never touched before, the system should re-challenge for MFA or kill the session.
Building a Resilient Incident Response Plan for Identity Theft
When a breach happens, time is the critical factor. Your IR plan must include:
- Immediate revocation of all active refresh tokens for the compromised account.
- Isolation of the compromised user's devices via EDR.
- A full audit of the IdP logs to check for the creation of new API keys or backdoored accounts.
We recently used the AADInternals toolkit to audit a suspected tenant. This allowed us to identify exactly which administrative accounts had been tampered with.
Auditing a user's status and potential backdoors in Azure AD
Get-AADIntUser -UserPrincipalName [email protected] -Domain company.in
As UNC3944 continues to refine their tactics, the focus for Indian CISOs must remain on the help desk and the elimination of phishable MFA factors. The cost of a FIDO2 rollout is negligible compared to the ₹100 Crore+ impact of a full-scale identity compromise.
Next Command: Get-MgAuditLogDirectoryAudit -Filter "category eq 'UserManagement'" to monitor for unauthorized MFA resets.
