Defending Against SCATTERED SPIDER with Falcon Next-Gen SIEM

SCATTERED SPIDER is a prolific eCrime adversary that has conducted a range of financially motivated activities beginning in early 2022. Since surfacing, this adversary continues to compromise organizations around the world, deploying ransomware and exfiltrating sensitive files. As noted within the CrowdStrike 2025 Threat Hunting Report, SCATTERED SPIDER reemerged with a refined help desk social engineering playbook, impersonating employees with stolen PII, including SSNs and birthdates, to bypass verification processes. 

Throughout their tenure, they have continued to evolve their tactics, techniques, and procedures (TTPs). By understanding these TTPs, defenders can implement a defense-in-depth strategy and detect SCATTERED SPIDER’s activities across their entire kill chain. 

CrowdStrike Falcon® Next-Gen SIEM delivers real-time detection and response across identity, cloud, SaaS, and network layers — ideal for tracking agile, multi-domain threats like SCATTERED SPIDER that evade traditional endpoint-centric security. In this blog post, we'll detail key phases of the adversary's kill chain and provide a comprehensive overview of existing out-of-the-box content that may be used within Falcon Next-Gen SIEM to aid in defense. 

A Platform-Centric Defense

While this blog post specifically focuses on Falcon Next-Gen SIEM, it should be noted that the broader CrowdStrike Falcon® cybersecurity platform has multiple layers of built-in protections to disrupt SCATTERED SPIDER across the attack lifecycle. Falcon Next-Gen SIEM builds on these broader platform capabilities and protections, unifying third-party telemetry and correlating it with native Falcon intelligence — extending visibility into areas adversaries frequently exploit. This provides an additional layer of tailored detections that complement endpoint and identity protections already in place.

Falcon Next-Gen SIEM Preparation

We will reference several key third-party log sources integrated with Falcon Next-Gen SIEM, along with relevant content. Customers using these technologies are encouraged to consult/refer to the provided documentation to ensure proper log ingestion into Falcon Next-Gen SIEM. Note the URLs below may need modification to reference your specific cloud environment:

• Identity
  • Okta Identity Management
  • Microsoft Entra ID
• SaaS
  • Microsoft M365 OneDrive
  • Microsoft M365 SharePoint
  • Google Workspace
• Cloud
  • Microsoft Azure
  • Google Cloud Audit
  • AWS CloudTrail
• Network
  • Fortinet NGFW
• Email
  • Microsoft M365 Exchange Online
  • Microsoft Defender for Office 365
  • Mimecast Email Security
  • Proofpoint TAP

How SCATTERED SPIDER Gains Access

SCATTERED SPIDER uses several TTPs to gain initial access to organizations — for example, they often conduct social engineering via phone call. As noted in the CrowdStrike 2025 Global Threat Report, the adversary has used this method to target organizations’ IT help desks. Posing as an employee, they attempt to solicit resets of actual employees’ passwords or multifactor authentication (MFA) credentials.

Alternatively, SCATTERED SPIDER may post as a help desk staff member to directly target users. In these cases, they may try to have an employee share their one-time MFA passcode to bypass that layer of security. If the passcode cannot be retrieved, the adversary may use MFA fatigue, in which multiple alerts are sent to a target user requesting MFA to be accepted until the user gives in and accepts the request.

Falcon Next-Gen SIEM offers multiple rule templates that may detect these initial access attempts, as well as similar attacks, as outlined by the following rules:

• Generic - URL Accessed From Malicious Email
• Microsoft - Defender for Office 365 - Email With Malicious URL
• Microsoft - Defender for Office 365 - Phishing Email Delivered
• Microsoft - Entra ID - MFA Fraud Reported by End User
• Mimecast - Email Security - Phishing Email Delivered
• Okta - SSO - Multiple Push Requests Denied
• Okta - SSO - Potential Successful MFA Fatigue via Push Notifications
• Okta - SSO - Reset All Factors
• Okta - SSO - User Password Reset or Unlock Attempts with Suspicious Indicators
• Proofpoint - TAP - Phishing Email Delivered
• Proofpoint - TAP - Phishing Email Link Clicked

The following rule template of “Okta - SSO - Potential Successful MFA Fatigue via Push” allows us to better understand how the CrowdStrike Query Language (CQL) can be used to detect potentially malicious behavior aligned with SCATTERED SPIDER:

// Rule Name: Okta - SSO - Potential Successful MFA Fatigue via Push
// Description: This rule identifies multiple rejected Okta MFA push notifications to a single user followed by an accepted MFA push notification, within a short time frame. This behavior may indicate a successful MFA fatigue attack, where an adversary uses compromised credentials to authenticate on an MFA-enabled user account and repeatedly sends MFA push notifications until the targeted user eventually accepts, granting the attacker access to the account.
// Severity: Low
// MITRE ATT&CK: T1621 - Multi-Factor Authentication Request Generation
//
// Detection Logic:
// - Monitors Okta SSO authentication events
// - Focuses on push notification MFA attempts
// - Alerts on 5+ failed attempts followed by success within 15 minutes
// - Tracks geographic and device context for additional analysis

#Vendor="okta" #event.module="sso" #repo!="xdr*"
| #event.kind="event"
| event.action="user.authentication.auth_via_mfa" Vendor.AuthenticatorEnrollment.detailEntry.methodTypeUsed="Get a push notification"
| authentication_time := formatTime("%Y/%m/%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| groupBy([user.name, Vendor.authenticationContext.externalSessionId],
    function=[
        series(collect=[#event.outcome, authentication_time], 
               endmatch={#event.outcome="success"}, 
               maxduration=15m, 
               memlimit=1KiB),
        collect([
            event.action,
            Vendor.AuthenticatorEnrollment.detailEntry.methodTypeUsed,
            client.ip,
            client.geo.country_name,
            client.geo.city_name,
            user_agent.original
        ])
    ]
)
| #event.outcome=/(?:failure\n){5,}success/
| formatDuration(_duration, as=series_duration, from=ms)
| drop([_duration, @timestamp])

This detection rule uses a sophisticated approach to identify potential MFA fatigue attacks. The query begins by filtering the ingested authentication data stream, specifically targeting Okta single sign-on (SSO) MFA events. It then narrows its focus to push notification authentication attempts — a common vector exploited by adversaries like SCATTERED SPIDER. The detection logic employs advanced grouping mechanisms, correlating users with their respective session IDs while collecting authentication outcomes within a configurable 15-minute window. The core detection criteria identifies suspicious patterns where five or more failed MFA attempts are followed by a successful authentication, potentially indicating a successful MFA fatigue attack where a user has been coerced into accepting a malicious push notification.

To enhance detection accuracy and reduce false positives, organizations can fine-tune several parameters:

• Adjust the failure threshold (currently set to 5 attempts)
• Modify the time window for correlation (currently 15 minutes)
• Customize additional contextual data collection (IP addresses, geolocation, user agents)

This flexibility allows security teams to align the detection with their organization's risk profile, user behavior patterns, and security requirements.

Figure 2 demonstrates how this MFA fatigue detection manifests within the Falcon platform interface, illustrating the rich context and actionable insights provided by Falcon Next-Gen SIEM:

The Adversary’s Path to Achieving Persistence

Once SCATTERED SPIDER gains access to a target organization, they work to ensure persistence in the environment. In one example, the adversary added unauthorized federated identity providers to Azure AD/Entra ID tenants, creating persistent backdoor access that bypasses standard security controls. This technique involves establishing trust relationships with attacker-controlled identity providers, allowing them to authenticate as legitimate users. Their federation manipulation remains effective even after password resets, making this a particularly dangerous persistence mechanism. This approach enables SCATTERED SPIDER to maintain access long after initial detection and remediation efforts.

Falcon Next-Gen SIEM provides numerous rule templates that may be leveraged to identify this attack vector, as well as similar attacks, as outlined within the list below:

• Microsoft - Entra ID - External Organization Connected to Directory
• Microsoft - Entra ID - Cross Tenant Partner Given Inbound Access
• Microsoft - Entra ID - Modification of Federated Identity Credentials for Service Principals or Applications
• Microsoft - M365 Exchange Online - Persistence via Identity Provider
• Okta - SSO - IDP Provider Modification
• Okta - SSO - Sign-In Events via Third-Party IdP
• Fortinet - NGFW - Identity Provider Added
• Fortinet - NGFW - Identity Provider Removed

Let’s now examine another rule in depth to see how CQL supports detection of potential malicious behavior involving persistence. The following query stems from the “Microsoft - Entra ID - Modification of Federated Identity Credentials for Service Principals or Applications” rule. This rule monitors modifications to federated identity credentials in Microsoft Entra ID, a technique frequently exploited by adversaries for persistence and privilege escalation.

// Rule Name: Microsoft - Entra ID - Modification of Federated Identity Credentials for Service Principals or Applications
// Description: This rule detects the addition of a federated identity credential to a service principal or application registration, a tactic that adversaries may use to persist in an environment by creating and/or modifying service principals. For instance, adding a federated identity credential to a user-assigned managed identity service principal could potentially allow an adversary to authenticate and obtain an access token for the tenant from outside an Azure-owned resource. However, this attack would require the adversary to already possess high privileges within the tenant, granting them the ability to add credentials to applications.
// Severity: Low
// MITRE ATT&CK: T1556.007 - Modify Authentication Process: Hybrid Identity
//
// Detection Logic:
// - Identify targeted Microsoft products
// - Seek out instances where updates to the application or service principal are observed
// - Identify instances where modification events are present

#Vendor="microsoft" #event.dataset=/entraid\.audit/ #repo!="xdr*"
| event.action="update-application" OR event.action="update-service-principal"
| case {
    #event.module="azure" // Data Connector built for Microsoft Graph API; Parser: azuread-ecs
    | split(Vendor.targetResources)
    | split(Vendor.targetResources.modifiedProperties)
    | Vendor.targetResources.modifiedProperties.displayName="FederatedIdentityCredentials";
    #event.module="entraid"  // Data Connector built for Microsoft Entra ID; Parser: entraid-ecs;
    | split(Vendor.properties.targetResources)
    | split(Vendor.properties.targetResources.modifiedProperties)
    | Vendor.properties.targetResources.modifiedProperties.displayName="FederatedIdentityCredentials";
}

As shown in the query above, we initially focus on Microsoft log sources, as the targeted products (Azure and Entra ID) are tied to this vendor. Subsequently, we further filter down on actions related to updates within either the application or service principal. Finally, we build out a case statement that allows us to target both Azure and Entra ID, looking for properties within the logs that will denote the expected modification behavior. 

Privilege Escalation in Cloud Environments

Adversaries such as SCATTERED SPIDER consistently target Global Administrator privileges in Azure/Entra ID environments, demonstrating their sophisticated understanding of cloud security architecture. By escalating to Global Administrator status, these adversaries gain the ultimate access level within Microsoft's identity management framework, enabling them to bypass security controls across the entire tenant. This privileged position allows them to modify authentication requirements, disable security features like MFA, and create persistent backdoor accounts while evading detection. Their methodical privilege escalation strategy reveals a calculated approach focused on achieving complete tenant control, highlighting why defending these elevated permissions is a critical security priority for organizations operating in Azure environments.

The following rule templates may be leveraged to identify this attack vector, as well as similar attacks:

• Microsoft - Entra ID - Global Administrator Role Assigned
• Microsoft - Entra ID - Privileged Role Assigned to User Account outside of PIM
• Microsoft - Entra ID - Privileged Role Assigned to User Account in PIM as Active Assignment
• Microsoft - Entra ID - Privileged Role Assigned to User Account in PIM as Eligible Assignment

Adversary Impact and Data Exfiltration 

SCATTERED SPIDER operators deploy ransomware as a primary attack vector. While CrowdStrike Falcon® Insight XDR endpoint protection secures endpoints against these threats, unmonitored VMware infrastructure creates significant visibility gaps that attackers routinely exploit.

Falcon Next-Gen SIEM extends detection capabilities into VMware environments, identifying malicious activities before full compromise occurs. Technical implementation details are available in the VMware integration documentation in Falcon Next-Gen SIEM.

SCATTERED SPIDER often pairs ransomware with data exfiltration techniques. Falcon Next-Gen SIEM implements several detection rules targeting these exfiltration methods:

• CrowdStrike - Endpoint - Exfiltration to File Sharing Services during Interactive RDP Session
• CrowdStrike - Endpoint - DNS Request For Online File Sharing Site From Unusual Image File Name
• Generic - Web - HTTP Request to Paste Site 
• Microsoft - M365 OneDrive & SharePoint - Excessive Data Download Activity

Figure 3 shows the “Microsoft - M365 OneDrive & SharePoint - Excessive Data Download Activity” rule firing within Falcon Next-Gen SIEM.

Conclusion

SCATTERED SPIDER exemplifies the modern identity-centric adversary: fast, persistent, and evasive. Following a prescribed, but evolving set of TTPs, they've historically been successful in their endeavors. Falcon Next-Gen SIEM empowers defenders with correlated visibility, out-of-the-box detection, and the customization needed to outpace these adversaries. As attacks evolve, so must your detection — and the Falcon platform delivers the complete coverage needed to stay ahead.

Appendix

Customers wishing to better understand the available out-of-the-box rule templates within the Falcon Next-Gen SIEM product may leverage a provided dashboard, which provides a comprehensive view into this content. 

A detection coverage dashboard may also be used to better understand what product coverage is provided that aligns with SCATTERED SPIDER and other prominent adversaries. 

A full list of all rules mentioned in this blog post are below:

• AWS - CloudTrail - Backup and Image Deletion Activities
• AWS - CloudTrail - EC2 Detached Volume Attached to Another Instance
• AWS - CloudTrail - Multiple Failed MFA Attempts for User
• AWS - CloudTrail - Password Recovery Requested for Root User
• CrowdStrike - Endpoint - DNS Request For Online File Sharing Site From Unusual Image File Name
• CrowdStrike - Endpoint - Exfiltration to File Sharing Services during Interactive RDP Session
• Fortinet - NGFW - Identity Provider Added
• Fortinet - NGFW - Identity Provider Removed
• Generic - URL Accessed From Malicious Email
• Generic - Web - HTTP Request to Paste Site 
• Google - Cloud Audit - IAM Organization Admin Role Added to a Principal
• Google - Cloud Audit - Potential Secret Manager Exfiltration
• Google - Workspace - BitLocker Drive Encryption Setting Disabled
• Google - Workspace - Domain Added to Trusted Domains
• Google - Workspace - Drive Ownership Transferred to Another User
• Google - Workspace - External User Added to Group
• Google - Workspace - Gmail Route Created or Modified
• Google - Workspace - Marketplace Restrictions Modified to Allow Any App
• Google - Workspace - Super Admin Role Assigned to User
• Microsoft - Azure - New Owner Role Assignment
• Microsoft - Azure - Privileged Role Observed Performing Actions via Single Factor Authentication
• Microsoft - Azure - Self-Assignment of Owner Role
• Microsoft - Azure - Virtual Machine Run Command Executed by User
• Microsoft - Defender for Office 365 - Email With Malicious URL
• Microsoft - Defender for Office 365 - Phishing Email Delivered
• Microsoft - Entra ID - Application With Newly Modified Credentials Adding Roles to Identities
• Microsoft - Entra ID - Application/Service Principal Credentials Updated by User
• Microsoft - Entra ID - Cross Tenant Partner Given Inbound Access
• Microsoft - Entra ID - External Organization Connected to Directory
• Microsoft - Entra ID - Global Administrator Role Assigned
• Microsoft - Entra ID - MFA Fraud Reported by End User
• Microsoft - Entra ID - Modification of Federated Identity Credentials for Service Principals or Applications
• Microsoft - Entra ID - Potential Adversary-in-the-Middle Login Sequence
• Microsoft - Entra ID - Privileged Role Assigned to User Account in PIM as Active Assignment
• Microsoft - Entra ID - Privileged Role Assigned to User Account in PIM as Eligible Assignment
• Microsoft - Entra ID - Privileged Role Assigned to User Account outside of PIM
• Microsoft - M365 Exchange Online - Persistence via Identity Provider
• Microsoft - M365 OneDrive & SharePoint - Excessive Data Download Activity
• Mimecast - Email Security - Phishing Email Delivered
• Okta - SSO - IDP Provider Modification
• Okta - SSO - Multiple Push Requests Denied
• Okta - SSO - Potential Successful MFA Fatigue via Push Notifications
• Okta - SSO - Reset All Factors
• Okta - SSO - Sign-In Events via Third-Party IdP
• Okta - SSO - User Password Reset or Unlock Attempts with Suspicious Indicators
• Proofpoint - TAP - Phishing Email Delivered
• Proofpoint - TAP - Phishing Email Link Clicked