As both a Qantas Frequent Flyer and a cybersecurity professional based in Sydney, I felt the impact of the airline’s June 2025 breach personally. The breach was a result of attackers accessing a third-party customer service platform operated by an overseas call centre and exposed personal data of approximately 5.7 million customers, myself included. While the breach did not directly threaten imminent financial loss, it does significantly increase the risk of secondary attacks using the leaked personal data.
The breach showed no signs of ransomware or sophisticated payloads. Instead, it bore the hallmarks of Scattered Spider, a threat group that relies on social engineering, abuse of legitimate credentials, and lateral movement through protocols that evade traditional security controls.
This incident is yet another proof point that identity has become one of the top attack vectors, especially across the hybrid IT environments that dominate Australian enterprises and their supply chain. These environments blend cloud, on-prem, and vendor-operated systems, but lack unified identity control, making detection and response much harder.
In this blog, we’ll explain who Scattered Spider is and why Australia is a growing target, the methods they use and why they are so effective, and the tactical steps Australian security teams can take to prevent and respond to identity-based attacks.
Who is Scattered Spider, and why are they targeting Australia?
Scattered Spider (aka UNC3944, Scatter Swine, Octo Tempest, Starfraud, Muddled Libra) is a financially motivated cybercriminal group focused on identity as the main attack vector.
Active since at least 2022, reportedly composed primarily of young, native English-speakers from the US and the UK, the Scattered Spider group rarely uses malware or ransomware, and targets some of the most defended sectors, such as financial services and gaming. Their toolkit often doesn’t rely on code, rather it relies on confidence tricks, protocol gaps, and our basic assumptions about trust.
Common techniques include:
– Phishing, Smishing & Vishing: Camouflaged emails/SMS or phone calls impersonating IT or help desk staff to trick staff into providing PII, credentials or performing MFA resets.
– Help Desk impersonation: Often posing as internal IT or helpdesk staff to direct employees to perform unsafe activities, such as running remote access tools or share MFA codes.
– MFA fatigue: Spamming users with push notifications until they click “approve.
– SIM swapping: Hijacking phone numbers to receive MFA codes.
– Living off the land: Using PowerShell, PsExec, and RDP or commercial remote-access utilities (such as TeamViewer, Ngrok, ScreenConnect, Fleetdeck, etc.), tools already available inside every enterprise to move laterally and evade detection.
– Compromising hypervisors: More recently, attacks have escalated beyond Active Directory compromise to directly targeting and manipulating VMware ESXi infrastructure, enabling attackers to bypass certain controls, such as endpoint protection, entirely.
While their initial focus was on US-based casinos, insurers, and retailers, 2024-2025 has seen them pivot sharply toward aviation, logistics, and infrastructure in Australia.
Why Australia?
1. Widespread hybrid and fragmented identity infrastructure
Australian enterprises commonly rely on a mix of on-prem Active Directory, cloud identity providers (e.g., Entra ID, Okta), SSO platforms, and PAM tools. While each secures a slice of the environment, they often operate in silos, leading to visibility gaps and incomplete control enforcement. This creates ideal conditions for identity-based attackers to slip through the cracks.
2. Complex and diverse identity and IT ecosystems
Australian enterprises are typically early adopters of technology and have gone through multiple waves of digital transformation and productivity-enhancing outsourcing. Over time, this has led to a highly interconnected ecosystem of third-party vendors, partners, and contractors, each requiring access to different parts of the enterprise. The result is a sprawling identity landscape with countless potential entry points to secure.
3. High-value customer data in a regulatory and reputational powder keg
Australian enterprises operate under increasingly demanding privacy and cybersecurity regulations, including the Notifiable Data Breaches scheme and evolving critical infrastructure mandates. At the same time, they store vast volumes of high-value personal data, such as financial, health, and identity records, which are lucrative targets for extortion, resale, or impersonation. These dual pressures make breaches more damaging and responses more urgent, amplifying the impact of identity-based attacks.
How to prevent identity threats before they start
1. Harden the help desk, but don’t over-rely on it
Problem: Scattered Spider often gains initial access through social engineering, targeting real human beings. This is especially effective in help desk environments, where staff are under pressure to resolve issues quickly and maintain high customer satisfaction. These attacks exploit human trust and judgment, making them difficult to consistently prevent.
Solution: Help desk procedures should be strengthened and reviewed regularly, but controls must extend beyond initial access. Attackers like Scattered Spider exploit legacy trust models that assume anything inside the perimeter is legitimate. Identity-layer segmentation, especially in Active Directory, is critical to slowing attackers and limiting the blast radius. Privileged identities should be blocked from accessing non-privileged environments (and vice versa), and third-party suppliers should only access what they need. A tiering model can further separate identities and systems by business criticality and risk.
2. Close MFA Gaps in legacy protocols
Problem: Protocols like NTLM, LDAP, and SMB don’t natively support MFA, and attackers know it. These gaps are frequently exploited to bypass modern access controls.
Solution: Extend MFA enforcement to cover all Active Directory protocols, including legacy ones, to ensure attackers can’t sidestep protections. While eliminating these vulnerable protocols entirely isn’t always feasible, restricting their use to only the systems that absolutely require them is both practical and impactful.
3. Implement phishing-resistant authentication methods (e.g. passkeys and FIDO2)
Problem: SMS-based MFA and push fatigue are easily bypassed with social engineering or SIM-swapping.
Solution: Adopt phishing-resistant methods like FIDO2 hardware keys or platform passkeys for privileged users and critical systems. These provide cryptographic proof of possession and can’t be phished or replayed.
4. Detect and block lateral movement in real time
Problem: After initial access, attackers “live off the land” using RDP, PowerShell, and legitimate credentials which go undetected in most hybrid environments.
Solution: Continuously monitor authentication flows across on-prem and cloud identity infrastructure to identify unusual movement patterns between systems and trigger inline MFA or deny access before the attacker escalates privileges.
5. Protect non-human identities
Problem: These accounts are often numerous, highly privileged, invisible in day-to-day operations, and poorly secured, making them ideal attack vectors or targets for abuse.
Solution: Begin by establishing a comprehensive inventory of non-human identities, including service accounts, automation credentials, and machine identities. Continuously monitor their behaviour for unusual access patterns, restrict their use to only what’s necessary, and apply least privilege permissions. This must be done in a way that is automated, scalable, and grounded in operational context. Spreadsheets, manual reviews, and reliance on tribal knowledge simply do not scale in modern enterprise environments.
6. Contain fast without stopping business – before you know what’s compromised
Problem: In identity attacks like Scattered Spider, response delays let the attacker move laterally, disable logging, or escalate privileges, all using valid credentials.
Solution: Define and prepare containment policies in advance, so they can be activated instantly to block compromised accounts, trigger reauthentication, or isolate specific systems. These policies should be designed with resilience in mind, limiting attacker movement while minimising impact on business operations. Preparation also means productivity is not affected in case of a breach. Look at using phishing-resistant MFA as a mediator and improve cyber resilience so that legit authorised users can continue to be productive and deliver services, hampering attackers’ ability to achieve their objectives.
When the breach happens: Identity-first incident response
Even with the best defences, compromise can still happen. What matters most is what you do in the initial hours. For example, requiring MFA for high-risk actions helps contain threats without disrupting core business operations.
Here’s a streamlined response framework built for identity-based breaches:
Containment
- Enforce deny or MFA policies instantly on all users
- Identify compromised accounts based on MFA violations or unusual access
- Isolate machines where affected accounts logged in
Recovery
- Gradually replace deny with MFA to restore access
- Reintroduce critical services in controlled phases
- Maintain elevated monitoring of previously-compromised accounts
Remediation
- Trace how the attacker moved between systems using authentication logs, and identify the specific identity weaknesses (like misconfigurations or excessive privileges) that enabled that movement
- Use those insights to strengthen long-term identity security posture
Final thoughts: Australia can lead in identity resilience
The Qantas incident wasn’t a one-off. It was a warning flare that identity-based attacks, like those used by Scattered Spider, are here, active, and evolving.
As a local citizen caught in the blast radius, I believe we can meet this moment with urgency and confidence. Australia’s hybrid identity infrastructure and IT ecosystem are complex, but with the right plan, that complexity can be protected, monitored, and controlled.
Phishing-resistant MFA and well-defined access policies across all access points including legacy protocols, limiting access based on least privilege and business criticality, and identity-first incident response can contain threats quickly while keeping business operations running.
Australia doesn’t have to wait for another breach to act. We can lead.
To learn more about how to build an incident response playbook against threat groups like Scattered Spider, I invite you to watch this webinar on-demand.