Scattered Spider Social Engineering
containedAttacker Type
HUMAN
Confidence
72%
Kill Chain
Persistence
Events
67
CRS Score
82
Elapsed
2.0h
EVENT TIMELINE
high08:00:00
MFA reset via social engineering detected
info08:00:12
CIE: Session sandboxed, decoy environment deployed
ATTACK NARRATIVE
A Scattered Spider-attributed attacker successfully social-engineered a help desk agent into resetting MFA for a privileged user. The Identity Agent detected the anomalous authentication pattern within 200ms -- the user had never logged in from this geolocation or device fingerprint. The session was immediately sandboxed, and the attacker was presented with a convincing but isolated environment. All genuine administrative actions were blocked while the investigation proceeded.
Affected Assets
okta-tenantazure-ad-synchelpdesk-portal
Agent Layers Involved
identitycloud
PREDICTED NEXT MOVES
01Register new MFA device on compromised account
02Access Okta admin console
03Create federated identity provider
Pre-Blocked Paths
BLOCKEDRegister new MFA device on compromised account
BLOCKEDAccess Okta admin console
BLOCKEDCreate federated identity provider
COUNTER-ACTIONS EXECUTED
Sandboxed anomalous session
08:00:12
Presented isolated decoy admin console
08:01:00
Blocked all admin-level actions for affected account
08:00:15