Back to Intelligence

Scattered Spider TfL Breach: Defending Against Social Engineering and MFA Bypass

SA
Security Arsenal Team
July 16, 2026
6 min read

The recent sentencing of two high-profile members of the Scattered Spider (aka 0ktapus) collective to five years and six months in prison marks a significant victory for law enforcement following the 2024 Transport for London (TfL) breach. However, as defenders, we know that the incarceration of individuals rarely dissolves the threat group. Scattered Spider remains one of the most agile and dangerous adversaries targeting critical infrastructure and large enterprises, specifically leveraging social engineering to bypass even the most robust perimeter defenses.

This case is a stark reminder that sophisticated malware isn't always required for a catastrophic breach. The TfL incident, which exposed sensitive customer data, began with the oldest attack vector in the book: the human element. Security teams must shift their focus from单纯 preventing intrusion to detecting the subtle signs of credential theft and Multi-Factor Authentication (MFA) bypass.

Technical Analysis

Scattered Spider’s modus operandi revolves heavily around Initial Access via social engineering rather than exploiting software vulnerabilities. Understanding their attack chain is vital for building effective defenses.

  • Attack Vector: The group primarily utilizes Adversary-in-the-Middle (AiTM) phishing kits and SIM swapping. By proxying traffic through a rogue server, they intercept session cookies, allowing them to bypass MFA checks entirely without needing the second factor (e.g., the one-time code).
  • Tactics (MFA Fatigue): They frequently employ "MFA fatigue" or "MFA bombing," flooding a target with push notifications until the user inadvertently accepts the authentication request.
  • Persistence and Lateral Movement: Once inside the identity layer, Scattered Spider often enrolls their own devices for MFA or adds backup phone numbers. On the endpoint, they favor living-off-the-land (LOLBins) and legitimate Remote Monitoring and Management (RMM) tools—such as AnyDesk, ScreenConnect, or Splashtop—to blend in with administrative traffic and move laterally.
  • Exploitation Status: These techniques are not theoretical; they are actively in the wild and highly effective. While no specific 0-day CVE was used in the TfL breach, the exploitation of identity trust is a current, critical vulnerability.

Detection & Response

Detecting Scattered Spider requires a focus on identity anomalies and the presence of unexpected administrative tools. Below are detection mechanisms tailored to their TTPs.

SIGMA Rules

YAML
---
title: Potential Scattered Spider Activity - Suspicious RMM Tool Execution
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the execution of remote management tools frequently abused by Scattered Spider (e.g., AnyDesk, ScreenConnect, SplashTop) spawned by unusual parent processes like PowerShell or Explorer.
references:
  - https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1219
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|contains:
      - '\anydesk.exe'
      - '\connectwisecontrol.exe'
      - '\supremo.exe'
      - '\screenconnect.exe'
      - '\splashtop.exe'
  selection_parent:
    ParentImage|contains:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\pwsh.exe'
      - '\mshta.exe'
      - '\wscript.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate IT administration using scripts to launch RMM
level: high
---
title: Suspicious PowerShell Base64 Encoding indicative of Phishing Payloads
id: 9e8d7c6b-5a4f-3e2d-1c0b-9a8f7e6d5c4b
status: experimental
description: Detects PowerShell commands with encoded commands, often used in the initial stages of Scattered Spider phishing droppers to evade detection.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains: ' -enc ' 
    CommandLine|contains: ' -encodedcommand '
  filter_legit:
    ParentImage|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
  condition: selection and not filter_legit
falsepositives:
  - System management scripts
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for MFA Fatigue / Failed MFA followed by immediate Success
// Indicates user may have been spammed into accepting a push
SigninLogs
| where ResultType == "50074" or ResultType == "500121" // MFA failed or interrupted
| project UserPrincipalName, AppDisplayName, DeviceDetail, Location, Status, ConditionalAccessStatus, TimeGenerated
| join kind=inner (
    SigninLogs
    | where ResultType == "0" // Success
    | project SuccessTime=TimeGenerated, UserPrincipalName, AppDisplayName, DeviceDetail, Location
) on UserPrincipalName, AppDisplayName, DeviceDetail
| where TimeGenerated < SuccessTime and (SuccessTime - TimeGenerated) < 5m // Success within 5 mins of failure
| project TimeGenerated, SuccessTime, UserPrincipalName, AppDisplayName, Location, DeviceDetail
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for portable RMM tools often dropped in AppData or Temp by actors
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="\\Users\\*\\AppData\\Local\\Temp\\*.exe")
WHERE Name =~ "anydesk"
   OR Name =~ "supremo"
   OR Name =~ "connectwise"
   OR Name =~ "screenconnect"

-- Hunt for suspicious PowerShell processes encoded payloads
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ "powershell.exe"
   AND CommandLine =~ "-enc"
   AND CommandLine =~ "AQYABg"  // Common header for specific base64 payloads, adjust as needed

Remediation Script (PowerShell)

PowerShell
# Script to Audit for Unauthorized RMM Tools
# Run with elevated privileges

Write-Host "Scanning for common RMM tools used by threat actors..."

$RMMProcesses = @("anydesk", "splashtop", "supremo", "connectwise", "screenconnect", "dameware", "teamviewer")
$SuspiciousPaths = @("C:\Users\Public\", "C:\Temp\", "C:\Windows\Temp\")

$FoundProcesses = Get-Process | Where-Object { $RMMProcesses -contains $_.ProcessName.ToLower() }

if ($FoundProcesses) {
    Write-Host "[ALERT] Found running RMM processes:" -ForegroundColor Red
    $FoundProcesses | Select-Object ProcessName, Id, Path, StartTime | Format-Table -AutoSize
} else {
    Write-Host "[INFO] No known RMM processes currently running." -ForegroundColor Green
}

# Scan for executable files in suspicious directories matching RMM names
foreach ($Path in $SuspiciousPaths) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path..."
        Get-ChildItem -Path $Path -Recurse -Include *.exe -ErrorAction SilentlyContinue | 
        Where-Object { $RMMProcesses -contains $_.BaseName.ToLower() } | 
        Select-Object FullName, CreationTime, LastWriteTime | Format-Table -AutoSize
    }
}

Write-Host "Audit complete. Review findings for unauthorized access tools."

Remediation

The sentencing of the TfL attackers is a legal win, but the technical war continues. To harden your environment against Scattered Spider and similar adversaries:

  1. Implement Phishing-Resistant MFA: Move beyond standard TOTP or push notifications. Implement FIDO2/WebAuthn hardware security keys (Passkeys). Scattered Spider cannot easily intercept a cryptographic handshake during an AiTM attack.
  2. Enforce Conditional Access Policies:
    • Configure policies to block legacy authentication protocols.
    • Require "Compliant Device" or "Hybrid Azure AD Joined" status for sensitive administrative access.
    • Implement "Named Locations" to restrict access from countries where your organization has no business presence.
  3. Number Matching: If using push notifications, ensure Number Matching is enforced. This requires the user to type a number displayed on the login screen into the authenticator app, mitigating MFA fatigue/bombing attacks where the user blindly accepts a push.
  4. User Education: Train users to recognize the specific signs of social engineering. If they receive unexpected MFA prompts, they should report it via security channels immediately rather than approving it.
  5. Restrict RMM Tool Usage: Whitelist approved remote management software via AppLocker or Windows Defender Application Control (WDAC). Alert on the execution of unsigned binaries or unauthorized RMM tools in user-writable directories.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemscattered-spidersocial-engineeringmfa-bypassidentity-protectionransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.