Scattered Spider, the cybercrime and ransomware hackers group, is making headlines again after four young people were arrested in the UK, and MSPs need to take notice.
The arrests were made by police investigating the cyberattacks on large UK-based retailers Marks & Spencer (M&S) and Co-op. Those arrested were aged between 17 and 20, suggesting possible links to Scattered Spider, which is believed to be mostly made up of teenagers and young men from Britain and the US.
Scattered Spider is known to target IT helpdesks and mid-market companies, with Infosecurity magazine reporting:
“Investigators collaborating with M&S disclosed that Scattered Spider leveraged compromised credentials from Tata Consultancy Services (TCS), a major IT outsourcing firm, to infiltrate systems.”
This is both a threat and an opportunity for MSPs, MSSPs and anyone in IT consulting and outsourcing. Here’s what you need to know—and what you should do about it.
Who—or what—is Scattered Spider?
Scattered Spider is the name given to a loosely affiliated but highly skilled group of cybercriminals, known for sophisticated social engineering tactics and a preference for living-off-the-land (LOTL) techniques.
Active since at least 2022, they have been linked to attacks on major corporations including Qantas and MGM Resorts, often bypassing traditional defenses not through malware, but through manipulation, such as social engineering.
They’ve been associated with the larger umbrella group ALPHV/BlackCat, but increasingly appear to act independently.
What happened at Marks & Spencer? And how does it fit Scattered Spider’s profile?
In April 2025, UK retailer Marks & Spencer suffered a security breach, allegedly at the hands of Scattered Spider. The attack stopped all ecommerce for weeks, which has cost the business an estimated €345 million in lost sales.
While full details remain under wraps, reports indicate that attackers gained access to internal systems via phishing and impersonation of IT staff, two trademarks of the group.
In a statement, M&S said customer payment data was not affected—but employee data may have been exposed. That aligns with the group’s tactics: steal employee identity data, move laterally, escalate privileges, then monetize via extortion or data sale.
This wasn’t a smash-and-grab ransomware incident. It was stealthy, patient, and heavily reliant on exploiting human trust and any weaknesses in identity controls.
Why should MSPs care about Scattered Spider?
These attackers aren’t coming through the back door anymore—they’re walking right past the front desk, clipboard in hand.
Scattered Spider and groups like them are exploiting:
- Weak identity verification protocols
- Poor MFA hygiene
- Over-permissioned access to Cloud and endpoint systems
- MSP tools and platforms with legacy authentication models
As MSPs take on more identity and access management (IAM) responsibilities for clients, they are becoming both gatekeepers and targets.
If you’re offering endpoint protection, remote access, or identity brokering—even indirectly—you’re now in the threat actor’s line of fire.
How do these attackers get in, and why aren’t tools catching them?
The next attack on your system could be carried out by a hacker pretending to be someone else, usually convincingly. Scattered Spider has successfully used SIM swapping, helpdesk impersonation, and deep knowledge of internal org structures to bypass MFA and helpdesk protocols.
Once inside, they use tools already installed on the system to move quietly. Many endpoint and detection platforms don’t flag this behavior as malicious, especially when it mimics administrator actions.
This is not a failure of tooling—it’s a failure of assumptions.
What’s the biggest takeaway for MSPs managing client infrastructure
You can’t outsource security posture entirely to tooling. Your clients depend on you to design secure workflows, enforce policies, and continually adapt to attacker innovation.
Key actions for MSPs:
- Implement zero-trust architecture wherever possible. Don’t assume trust based on network location or device.
- Harden your helpdesk protocols. Social engineering resistance starts with robust identity verification.
- Audit access regularly. Remove excessive privileges and unused accounts—especially admin roles.
- Practice breach scenarios. Simulate social engineering attempts against internal teams and clients.
- Add human intelligence to technical controls. Security awareness training is a technical control now.
How should MSPs talk to clients about this threat?
Position this as a business risk—not just a technical one. Scattered Spider isn’t just targeting Fortune 500s; they’re hitting mid-sized firms and suppliers because they often have weaker controls and sit downstream in the data chain.
Explain that “good enough” security isn’t good enough anymore. Threat actors are tailoring their attacks and learning how each client environment works.
Use the M&S case to illustrate how even sophisticated enterprises are vulnerable—and how you can help fill the gaps.
What can MSPs expect over the next 12 months?
Expect more of the same class of attack—but faster, broader, and smarter. Scattered Spider and its offshoots are maturing into hybrid extortion crews, sometimes skipping ransomware entirely in favor of high-pressure data extortion.
As AI-enhanced phishing and voice cloning gain ground, identity verification will become even more fragile.
For MSPs, this is your moment to evolve from infrastructure partners to risk mitigation advisors. Those who can explain, implement, and maintain modern identity frameworks will earn client trust—and new business.
Cybercrime is the fastest developing aspect of an MSPs long list of responsibilities. Join us in Barcelona for MSP GLOBAL to hear from cyber experts and meet the partners who may have the tools you need to fight back. Sign up to the newsletter to access your code for a FREE TICKET.
October 22-23, 2025 – 
PortAventura Theme Park (Barcelona), Spain