The Tylerb Verdict: Deconstructing Scattered Spider's SMS Phishing Ops
Finally seeing some movement on the Scattered Spider front. Krebs reported that Tyler Robert Buchanan (aka 'Tylerb') pleaded guilty to wire fraud and aggravated identity theft. While the legal side is settled, I want to focus on the TTPs mentioned in the report: the summer 2022 SMS phishing campaign that hit dozens of tech firms.
We know Scattered Spider (0ktapus) doesn't rely on zero-days; they bypass MFA by stealing session cookies (ID tokens) via proxy kits and OTP bots. Since we can't patch human trust, detection is critical. They often targeted Okta and VPNs. If you're relying solely on MFA prompts without context, you're vulnerable to MFA fatigue.
I've been hunting for indicators of these specific phishing kits in our proxy logs. Here is a basic KQL query I've been using to identify potential session theft attempts by looking for rapid failed logins followed by a successful one from a different ASN (often the proxy server):
SigninLogs
| where ResultDescription has "MFA"
| project UserId, AppDisplayName, Result, Status, DeviceDetail, LocationDetails
| serialize RowNumber = row_number() over (partition by UserId order by TimeGenerated asc)
| extend PrevStatus = Prev(Result)
| where Result == "0" and PrevStatus in ("50126", "50053")
| project-reorder TimeGenerated, UserId, AppDisplayName, LocationDetails
Is anyone else seeing a resurgence of these targeted SMS attacks, or are they moving deeper into other channels like Teams?
Solid query. We actually caught a similar campaign last month targeting our Okta instance. The attackers weren't just using SMS; they were also abusing the 'self-service password reset' feature to enumerate users before phishing.
We ended up adding strict conditional access policies requiring compliant devices for admins. One thing to watch out for: the session tokens stolen by these groups often have long lifespans. If you aren't monitoring for 'Impossible Travel' on the issued tokens themselves, you might miss the breach even after the phishing stops.
Good to see them off the streets, even if it's just one node. We've shifted focus to FIDO2/WebAuthn keys for our critical admins. It's the only surefire way to stop these OTP relay attacks.
For detection, we're checking User-Agents. These phishing kits often have weird UA strings or inconsistencies between the browser header and the actual device context. Here's a quick Python snippet we use to normalize UA strings for comparison in our SIEM:
import re
def normalize_ua(user_agent):
# Remove version numbers for easier grouping
ua = re.sub(r'\d+\.\d+', 'X.X', user_agent)
ua = re.sub(r'\[.*?\]', '', ua)
return ua
It helps group the phishing kit traffic together.
The 'Tylerb' group is sophisticated because they do heavy OSINT on their targets before sending that text. They know exactly what VPN you use.
From a SOC perspective, the 'MFA Fatigue' push spam is the hardest to detect because the user eventually clicks 'Approve'. We've started training users to report 'Deny' actions as security incidents, not just errors. That simple change in mindset gave us our best visibility into these campaigns.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access