Between 22 and 29 April 2025, major UK retailers including Marks & Spencer (M&S), Co-op, and Harrods experienced cyber attacks that disrupted core business operations. Although not conclusively attributed in all instances, the threat actor group Scattered Spider is suspected to be behind the attacks, which likely involved attempted and successful social engineering, multi-factor authentication (MFA) bypasses, and ransomware deployment.
These incidents also point to potential vulnerabilities in third-party services, identity verification processes, and operational resilience frameworks across the retail sector.
Scattered Spider poses a significant and ongoing threat to UK retail and other sectors due to their focus on high-visibility targets. Retailers and household brands should assume they are at heightened risk and take proactive measures to defend against future attacks, especially given the group's expertise in using social engineering to infiltrate companies with distributed workforces and third-party suppliers.
Who are Scattered Spider?
Scattered Spider, also referred to as UNC3944 or 0ktapus, is a cyber threat group composed primarily of young, native English-speaking individuals based in the UK and the US. Unlike traditional ransomware groups, they employ sophisticated social engineering tactics, such as impersonating employees, to deceive IT help desks and gain unauthorised access to systems. Their methods have allowed them to infiltrate major organisations, including MGM Resorts and Caesars Entertainment in the US.
The threat group has demonstrated a repeatable and effective playbook that combines technical skill with social engineering. Their techniques include phishing and vishing to gain initial access, manipulation of authentication systems, and potentially the abuse of legitimate tools like Microsoft Teams to abuse everyday business operations.
A common hallmark of the group's intrusions is innovative and persistent attacks on cloud infrastructure, which enables them to gain initial access, conduct reconnaissance, and reach sensitive systems while having minimal interaction with what some organisations would traditionally consider their internal corporate network.
Unusually, there have been instances of the group using intimidation tactics including threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material
Countering Scattered Spider
To respond effectively to Scattered Spider, there are several immediate and longer-term steps that organisations can take:
Immediate actions
Organisations should urgently conduct forensic reviews of their Microsoft 365 and Teams logs to identify any abnormal access patterns or misuse. Privileged credentials should be suspended and rotated, and stronger authentication policies — particularly around MFA — should be enforced as a priority.
In addition, the UK’s NCSC has provided a list of high-priority actions that businesses can take to detect, prevent and mitigate the risks of the group and other attack groups.4 This includes prioritising the security of high-privilege accounts, including Domain Admin, Enterprise Admin, and Cloud Admin, and verifying that access is legitimate.
Furthermore, they have advised companies specifically to strengthen helpdesk password reset procedures by ensuring staff authentication is properly verified, especially for accounts with escalated privileges. This advice clearly telegraphs the favoured use of this tactic by the group.
Medium-term actions
Internal awareness and security hygiene should be addressed through staff training that focuses on recognising social engineering threats like phishing and vishing. Collaboration tools such as Teams should be hardened by disabling unnecessary features like auto-transcription and auto-invite links, where practical.
Consideration around access by third-party service providers should be audited, restricted, and segmented to limit the impacts of compromise.
Long-term resilience
At a strategic level, organisations should collaborate across the sector to develop shared cyber incident response playbooks that support rapid, coordinated responses to future threats. Security standards should be embedded into supplier contracts, ensuring that third-party risk is systematically managed.
Finally, active participation in intelligence-sharing platforms and cooperation with government bodies will help improve threat detection and reduce exposure to emerging attack groups.