Scattered Spider Hackers Infiltrate Microsoft Teams and Slack in Sophisticated Phishing Attacks

Security agencies have issued an advisory about a hacking group that is infiltrating Microsoft Teams and Slack to gather intelligence and launch phishing attacks on employees. The FBI and other cybersecurity agencies have warned that the Scattered Spider hacking group is leveraging ransomware and social engineering techniques to target victims.

According to the joint advisory, the attack technique used by the Scattered Spider group centers on highly targeted social engineering. They often impersonate IT support staff to deceive employees into revealing login credentials or installing remote access tools.

Once they gain initial access, they exploit weaknesses in multi-factor authentication (MFA) by using methods like push bombing, sending repeated MFA prompts until the user accepts, or SIM swapping to intercept one-time passwords. These tactics allow them to bypass security controls and move laterally within enterprise networks.

How hackers are exploiting Microsoft Teams and Slack

After gaining deeper access, the attackers deploy remote management tools and sometimes ransomware to encrypt systems or exfiltrate sensitive data. Their operations are stealthy and well-coordinated, which often involve real-time interaction with victims to manipulate them into granting access.

Scattered Spider has expanded its tactics by infiltrating internal communication platforms like Microsoft Teams and Slack. They exploit the trust employees place in internal messages to launch convincing phishing attempts or impersonate colleagues. This allows them to quietly gather intelligence, escalate privileges, or manipulate users into taking harmful actions.

How can organizations strengthen their defenses?

The CISA has provided a set of recommendations to help organizations defend against the tactics used by the Scattered Spider group. The agency urges organizations to implement phishing-resistant MFA, such as hardware security keys or biometrics. Organizations are also advised to enforce strong password policies and limit the use of remote access tools, which attackers often exploit to gain control of systems.

Furthermore, the advisory emphasizes the importance of user awareness within the organizations. Employees should be trained to recognize social engineering tactics, such as impersonation of IT staff or suspicious MFA prompts. Help desk procedures should include strict identity verification before resetting credentials or MFA tokens.

CISA also recommends maintaining offline, encrypted backups and regularly testing recovery processes to ensure resilience in the event of a ransomware attack. These layered defenses are important for reducing the risk of compromise and minimizing the impact of potential intrusions.