Scattered Spider & MFA Bypass—Why Our Defenses Must Evolve

In today's episode of The Other Side of the Firewall, Shannon, Chris, and I unpack a sobering warning from the FBI about MFA bypass tactics by a group called Scattered Spider. As defenders and industry leaders, it’s time to reevaluate how we guard access—even beyond usernames and passwords.

Who is Scattered Spider and why they matter

Scattered Spider, active since around May 2022, operates with chilling precision using social engineering to manipulate legitimate systems. They’ve hit high-profile targets like MGM and transportation companies by infiltrating help desks to approve MFA device enrollment on compromised accounts. This is no script-kiddie operation—it’s sophisticated lateral exploitation at scale.

MFA isn't invulnerable

While MFA—especially via apps—is stronger than passwords or SMS, it isn’t foolproof. Scattered Spider bypasses it by adding their own approved devices. Encryption and OTPs are helpful, but if attackers can convince support staff to enroll devices, the system fails.

Chris Abacon made it clear: “My first thoughts…account management, privilege access management, account reviews monthly, quarterly. That’s what can help prevent this type of thing.” Effective controls include:

• Continual account auditing and review
• Strict help-desk verification processes
• Platform activity monitoring (Azure/AWS/GCP)
• Privileged Access Management (PAM) with overconvergence
• Automated alerts on device enrollment and admin rights changes

The future: passkeys and passwordless

I emphasized during the episode: “Passwords are super weak… SMS is OK, authentication apps are better, and passkeys are the best of the best.” We need to fast-track adoption of passkeys, which require physical devices and eliminate middlemen. Until then, combining strong MFA with tight operational controls is critical.

Why it matters to you

Scattered Spider is elusive—likely portraying themselves as teenaged hackers but effectively acting as agile threat actors. With millions in cryptocurrency (estimated $27M seized from a leader’s wallet), their motive is clear: there’s money in cybercrime.

Key Takeaways for Professionals and Leaders

• MFA isn’t a silver bullet—enforce robust admin processes
• Implement passkeys alongside rigorous helpdesk policies
• Use least privilege models and regular audits
• Educate support staff on advanced social engineering
• Treat account/device enrollment events like security incidents

We must continually evolve. Because—as long as attackers innovate, defenders must keep pace.

Listen to the full conversation on theothersideofthefirewall.com or ram.cyber.io. 📚 And don’t forget—our book is available for pre-order now!

Thank you for reading, and stay tuned for more episodes of The Other Side of the Firewall podcast on Monday, Tuesday, Wednesday, and Friday, as well as the Ask A CISSP podcast every Thursday. Please like, share, and subscribe.

Stay safe, stay secure!

I’m excited to announce my new guide, The Other Side of the Firewall: The Real-Life Stories of Movers, Shakers, & Glass Ceiling Breakers in Cybersecurity, is available for preorder!

This guide took almost a year to write and is built on 4.5 years of research, thoughtful observations, and interviews with 27 incredible guests. Based on the podcast of the same name, it shares the powerful journeys of underrepresented professionals who broke into and reshaped the cybersecurity field.

If you're looking for real-world inspiration, practical insights, and proof that there's space for you in cyber—this book is for you.

📘 Preorder your copy now at a discounted price: theothersideofthefirewall.com

Ryan is a retired Air Force veteran who brings over 20 years of experience in network infrastructure, project management, and cybersecurity consulting to his current role as CEO of RAM Cyber Consulting & Assessments, LLC. RAM Cyber is a premier governance, risk, and compliance (GRC) consultancy dedicated to supporting the Defense Industrial Base (DIB), federal agencies, and corporate entities. We specialize in delivering expert guidance to ensure compliance, mitigate risks, and enhance cybersecurity postures.

Shannon, also a retired Air Force veteran, has more than two decades of expertise in network security and vulnerability management. He now serves as an Information System Security Officer (ISSO), where he continues to enhance national security protocols.

Chris is a Navy veteran with over 13 years in IT, information assurance, and risk management. His current role as a Senior Security Consultant focuses on vCISO and Cyber Assessments services enhancing data security and privacy for various organizations.

**The Other Side of the Firewall podcast is a product of RAM Cyber Consulting & Assessments, LLC. RAM Cyber Consulting & Assessments, LLC is a premier governance, risk, and compliance (GRC) consultancy dedicated to supporting the Defense Industrial Base (DIB), federal agencies, and corporate entities. We specialize in delivering expert guidance to ensure compliance, mitigate risks, and enhance cybersecurity postures. RAM Cyber is pending SDVOSB, VOSB, and 8(a) certification by the SBA, underscoring our commitment to excellence and service.