Skip to content
· 6 min read HIGH @Sdmrf

Scattered Spider's AiTM Playbook: How They're Bypassing MFA at Scale

An analysis of Scattered Spider's adversary-in-the-middle techniques - the social engineering, the tooling, and why your MFA might not be enough.

#scattered-spider #aitm #phishing #mfa-bypass #threat-actor
On this page

Scattered Spider (also tracked as UNC3944, Muddled Libra, and 0ktapus) has been the most successful social engineering threat actor of the past two years. Their target list includes MGM, Caesars, Twilio, Okta, and dozens of others.

What makes them effective isn’t technical sophistication - it’s process. Specifically, their systematic approach to bypassing MFA through adversary-in-the-middle (AiTM) attacks combined with relentless social engineering.

Let’s break down how they do it.

The Attack Pattern

Scattered Spider’s playbook is remarkably consistent:

Phase 1: Reconnaissance

Before any technical attack, they research:

  • Target company’s IT systems: What identity provider (Okta, Azure AD, etc.)? What VPN?
  • Helpdesk procedures: How does password reset work? What verification is required?
  • Employee information: Names, phone numbers, job roles (LinkedIn is a goldmine)

This phase can take weeks. They’re patient.

Phase 2: Infrastructure Setup

They set up:

  • Phishing domains: Typosquats of target company’s identity provider
  • AiTM proxy: Usually EvilGinx2 or similar
  • Communication channels: Slack, Telegram for coordination

The phishing domains are crafted carefully. Not 0kta-login.com obvious stuff - more subtle variations that pass quick visual inspection.

Phase 3: Initial Contact

Two main approaches:

A) Credential Phishing

SMS or email directing to fake login page:

"[Company] IT: Your password expires today. Reset at:
https://[company]-sso.com/reset"

The link goes to an EvilGinx proxy that captures credentials AND session tokens.

B) Help Desk Impersonation

Call the actual help desk posing as an employee:

"Hi, this is [name] from [department]. I got a new phone and I'm
locked out. Can you help me reset my MFA?"

They’ve done enough recon to answer verification questions. If asked for employee ID, they have it. Manager’s name? They know it.

Phase 4: MFA Bypass

This is where the AiTM magic happens.

When a victim enters credentials on the phishing page:

Victim → EvilGinx Proxy → Real Login Page
   ↓           ↓                 ↓
Enters      Forwards         Validates
creds       in real-time     credentials
   ↓           ↓                 ↓
Gets MFA    Captures          Sends MFA
prompt      session           to victim
   ↓           ↓                 ↓
Enters      Captures          Authenticates
MFA code    session token     attacker

The attacker gets a valid session token. MFA was “bypassed” because the victim completed the MFA challenge on the attacker’s behalf.

Phase 5: Persistence and Escalation

Once they have access:

  • Register their own MFA device (persistence)
  • Search for admin credentials, API keys
  • Access cloud environments (AWS, GCP, Azure)
  • Target identity infrastructure (become the admin)
  • Deploy remote access tools

From initial access to domain admin often takes hours, not days.

The EvilGinx2 Problem

EvilGinx2 and similar tools make AiTM accessible to anyone. The tool:

  • Proxies authentication flows in real-time
  • Captures session cookies
  • Works against most identity providers
  • Is free and open source

It’s not even hidden. It’s a public GitHub project with documentation.

This democratizes sophisticated attacks. You don’t need to understand authentication protocols - the tool handles it.

Why Help Desk Attacks Work

The MGM breach reportedly started with a help desk call. Why do these work?

1. Help desks are incentivized to help

Their job is solving access problems. Saying “no” means tickets pile up, users complain, metrics look bad.

2. Verification is weak

Common verification: employee ID, manager name, recent ticket numbers. All obtainable through OSINT.

3. Social pressure

“I’m locked out before a critical meeting with the CEO” creates urgency that short-circuits careful verification.

4. No technical controls

The help desk can reset MFA because that’s their job. There’s no technical barrier to exploitation.

Defenses That Actually Help

Against AiTM Phishing

Phishing-resistant MFA (FIDO2/WebAuthn)

Hardware keys and passkeys bind to the origin. The real okta.com won’t accept authentication that started on a fake domain.

This is the only MFA that actually defeats AiTM attacks. Everything else can be proxied.

Token binding and device trust

Conditional access policies that require specific device characteristics before accepting sessions.

Unusual session detection

Monitor for:

  • Session starts from unexpected locations
  • Rapid location changes
  • New devices accessing sensitive resources

Against Help Desk Social Engineering

Out-of-band verification

Before making sensitive changes:

  • Call the employee back at their registered number (not the one they called from)
  • Send verification to their registered email
  • Require video verification for high-risk changes

Manager approval workflows

MFA resets require manager approval through a separate channel.

Canary questions

Ask something an attacker couldn’t know from OSINT. “What color is your desk chair?” isn’t great, but pre-registered security questions help.

Delay sensitive changes

“Your MFA will be reset in 24 hours. If you didn’t request this, contact security.”

Detection Opportunities

Even if initial access succeeds, detect the follow-on:

Signs of Scattered Spider activity:
- New MFA device registration from unusual location
- Access to identity admin portals
- Bulk permission changes
- Remote access tool installation
- Mass download from collaboration tools (Slack, Teams)

Fast detection can limit damage even after MFA bypass.

The Identity Problem

Scattered Spider exploits a fundamental tension: identity systems must be accessible to support legitimate needs, but that accessibility creates attack surface.

You can’t lock down the help desk completely - people genuinely do lose phones and forget passwords. But every legitimate path for account recovery is also an attack path.

There’s no perfect solution. Defense means:

  • Layered controls (don’t rely on one thing)
  • Detection and response capabilities
  • Continuous validation of identity claims
  • Accept some friction for high-risk actions

What’s Next

Scattered Spider and similar groups aren’t going away. They’re:

  • Training new members (it’s essentially a criminal guild)
  • Developing new techniques
  • Expanding target industries

The barrier to entry keeps dropping. Tools get better. Attack playbooks get shared.

Expect AiTM and social engineering to remain primary attack vectors for the foreseeable future.

Key Takeaways

  1. MFA isn’t magic - most MFA can be bypassed with AiTM
  2. FIDO2/passkeys actually help - origin binding defeats proxying
  3. Help desk is a massive attack surface - secure it
  4. Detection matters - assume breach, detect fast
  5. Social engineering is a skills problem - technology alone won’t solve it

References

MFA was supposed to be the answer. Turns out, the answer is more complicated. Layer defenses, detect anomalies, and assume someone’s always trying to get in.

Related Articles

medium·5 min read

AI Phishing Isn't the Problem Everyone Says It Is (Yet)

Hot take: the panic about AI-generated phishing is overblown. The real AI threat to security is different than what the headlines suggest.

high·6 min read

BYOVD Is Out of Control and Nobody's Fixing It

Bring Your Own Vulnerable Driver attacks have gone from niche technique to standard playbook. After yet another incident, some thoughts on why we're losing this fight.

info·11 min read

I Found Doordarshan.com on Sale for $2. Yes, THAT Doordarshan.

India's national TV broadcaster's .com domain is sitting on a Namecheap auction with a $2 starting bid, a $54,000 valuation, and zero bids. A 27-year-old digital oversight hiding in plain sight.