Scattered Spider Guilty Plea: A Look Back at Smishing TTPs

Just saw the breaking news regarding Tyler Robert Buchanan (aka 'Tylerb') pleading guilty. It’s a significant win for law enforcement, but for us in the trenches, it serves as a stark reminder of the effectiveness of the TTPs Scattered Spider (aka 0ktapus) popularized back in 2022.

While the plea covers wire fraud and identity theft, we shouldn't forget the technical impact of their initial access campaigns. They weren't just running generic phishing kits; they were specifically targeting SSO providers and telecom employees to facilitate SIM swaps and bypass MFA. The 'Summer of 2022' campaign against tech firms was a masterclass in social engineering combined with basic technical exploitation.

For those hunting similar indicators today, Scattered Spider often relied on SMS phishing (smishing) hosting on compromised infrastructure. If you're reviewing your logs, keep an eye out for anomalous MFA spam—specifically repeated push notifications followed by a success, which indicates MFA fatigue.

Here is a basic KQL query for Sentinel/Defender to help visualize potential MFA bombing attempts targeting Okta or Entra ID:

SigninLogs
| where ResultDescription == "MFA required" or Status has "50074"
| summarize count() by UserPrincipalName, AppDisplayName, bin(TimeGenerated, 5m)
| where count_ > 5
| order by count_ desc

With the rise of generative AI making these phishing texts even more convincing, are you all seeing a shift back towards SMS-based attacks, or is email still the primary vector in your environments?