Roundtable: On Scattered Spider and the Atlas Lion threat group

Introduction

Ben Baker: Hello everyone and welcome to today’s LinkedIn Live roundtable. I hope you’ve enjoyed these roundtables over the past few months. We’ve been holding them about monthly, with previous sessions featuring our SOC team discussing our Annual Threat Report, a discussion on the Forrester Wave on MDR, and a Women in Cybersecurity panel. You can find all of those on our YouTube channel.

Today we’re diving into one of the most talked about threat groups in the wild, Scattered Spider, and particularly a crafty subset of the group known as the Atlas Lion threat group. We recently published a two-part blog series that covers Atlas Lion activity in detail.

For those unfamiliar with Expel, we’re a managed detection and response provider (MDR). We integrate with security tools our customers already use—over 130 integrations with leading security tools—and bring that data into our proprietary platform called Expel Workbench™. Our analysts operate in it, and our customers can log in and see what our team sees in real time. Because we’re pulling telemetry from all these tools and environments, we’re able to identify trends across attacker behavior, which is exactly how this session came together.

Understanding Scattered Spider

Ben Baker: Aaron, give us a high-level view of Scattered Spider, its connection to the group called “the Com,” and any unique specialties or calling cards.

Aaron Walton: The name “Scattered Spider” refers to a decentralized nature of these actors. It’s used to refer to groups that are part of what they call themselves “the Community” or “the Com.” They’re often young people, typically males between 16-23 years old, interested in various types of cybercrime to gain street cred.

One thing they really specialize in is SIM swapping and targeting phones. If you’re not familiar with SIM swapping, they use techniques to trick phone providers into porting a SIM from a potential victim to the attacker’s device. This allows them to receive SMS messages and other content intended for the victim, primarily to bypass MFA.

This is characteristic of any group that’s part of the Com, including subgroups like Atlas Lion and Star Fraud. When people talk about Scattered Spider, it helps to specify which actors you’re talking about, as each subgroup has distinct tactics.

Threat Intelligence Context: Scattered Spider (also known as UNC3944, Starfraud, Scatter Swine, and Muddled Libra) is considered an expert in social engineering attacks according to the Cybersecurity & Infrastructure Security Agency (CISA). The group gained notoriety for major attacks against MGM Resorts and Caesars Entertainment in 2023, with the latter reportedly paying a $15 million ransom. According to Silent Push research, they continue to be active in 2025 using a variety of infrastructure including DigitalOcean, Vultr, and BitLaunch servers, as well as developing new phishing techniques.

Introducing the Atlas Lion threat group

Ben Baker: Ben, who is the Atlas Lion threat group, and what do we need to know about them?

Ben Nahorney: Atlas Lion is a group with affiliations to the Com, believed to be operating out of Morocco. Interestingly, the name comes from an extinct subspecies of lion last seen in Morocco in the 1960s, also known as the Barbary lion (similar to the MGM logo lion).

This group is known for targeting retailers to issue gift cards—that’s their primary MO. They try to steal gift cards and then figure out how to either redeem them or sell them to fund their organization. They’re also known for infiltrating organizations using compromised credentials, performing reconnaissance, and ultimately stealing cards.

Threat Intelligence Context: Microsoft tracks the Atlas Lion threat group as Storm-0539 and has reported in their Cyber Signals report that the group has been active since late 2021. According to The Record, Microsoft researchers have observed instances where the group steals up to $100,000 per day through gift card fraud at certain companies. Intel 471 research indicates they use various phishing kits with different themes, including Okta, Microsoft, Salesforce, and Gophish, across multiple domains.

Detecting identity-based attacks

Ben Baker: Jenni, these groups specialize in identity-based attacks. From a detection and response perspective, how challenging is it to defend against these identity tactics? What red flags or tells do you look for?

Jenni Maynard: From a detection and response perspective, we want to detect and identify threats both before initial access and after exploitation. My mental checklist includes looking for anomalous login properties—unusual login times, hosting/VPN infrastructure, or user agents. For these particular actors, we observed them trying to access applications the user wasn’t provisioned for.

Post-exploitation gives us even more detection opportunities: access to large volumes of SharePoint files, accessing specific files relating to endpoint management (which these groups are often interested in to pivot into the network environment). I have a mental list of indicators when examining activity to determine if an incident is occurring.

The Atlas Lion threat group attack

Ben Baker: Ben, can you walk us through this specific attack? How did they get credentials, and what did they do with them?

Ben Nahorney: This attack happened in several stages. It started with an SMS phishing campaign using a site that mimicked cloud-based services of the target, tricking people into entering credentials. When victims entered usernames, passwords, and MFA tokens, the phishing kit immediately used those credentials to log into the legitimate domain of the target organization.

Once inside, they stole session cookies to maintain persistence, but they took it further by rolling their own MFA devices within compromised accounts. This allowed them to maintain persistence over an extended period and log in from other devices.

The fascinating part was that the attackers created a virtual machine in their own Microsoft Azure Cloud tenant. They used stolen credentials to log into this VM, and because the target organization was also using Azure with Entra ID, that login automatically enrolled the VM into the target organization’s cloud tenant.

The silver lining was that the organization’s enrollment policy required Microsoft Defender to be installed on new devices. As soon as that endpoint protection was installed, it flagged several IOCs, which brought it to Expel’s attention.

After being detected, the attackers pivoted. They used other credentials to log into the corporate network and performed reconnaissance to learn about the environment—examining BYOD policies, device management approaches, and things that would help them get around the roadblock they encountered. True to their nature, they also looked up information about gift cards, issuance processes, refund policies, and fraud prevention measures.

Meanwhile, Expel was doing follow-up checks, identifying the Atlas Lion connection, examining IOCs, and ultimately evicting them from the environment.

Threat Intelligence Context: This attack aligns with known Atlas Lion tactics. According to The Record, this novel VM enrollment technique essentially allows the group to make their cybercrime infrastructure appear as legitimate parts of a company’s network. The Wiz Cloud Threat Landscape report notes that the Atlas Lion threat group (Storm-0539) is known for sophisticated phishing attacks, credential theft, SMS phishing (smishing), MFA enrollment abuse, and ultimately gift card fraud. According to CyberScoop, Microsoft researchers have observed that their “reconnaissance and ability to leverage cloud environments are similar to what Microsoft observes from nation-state-sponsored threat actors.”

Detection insights

Ben Baker: Jenni, as part of the team that helped stop this attack, what was your perspective? How did you realize this wasn’t a normal device enrollment?

Jenni Maynard: We traced the virtual machine activity back to a particular user registering this device. While investigating all the cloud identity activity for that user, certain things stood out indicating a targeted attack. We observed the attacker performing cloud enumeration in that user’s account—trying to access any cloud applications the user had access to and even attempting to access applications they didn’t have access to.

They were performing enumeration in SharePoint, reviewing emails, and more. We took those IOCs—like IP addresses, specific SharePoint queries, or MFA device registrations—and hunted for them throughout the environment, which helped us find additional compromised users.

When examining cloud timeline activity, we noticed the files the attacker was looking at were very focused on device management, registering devices, and lateral movement into the network environment. That indicated a greater motive beyond simple account compromise.

Ben Baker: When you see somebody pulling up articles about device enrollment and gift card policies, that seems like a red flag for someone with nefarious intent.

Jenni Maynard: It depends on context—it might be expected for a particular user based on their role. But if we’re investigating through the MITRE ATT&CK lifecycle, we look at whether the login session and IP address are normal for the user. In this case, we could rapidly determine this wasn’t the legitimate user.

Cloud sophistication

Ben Baker: Aaron, this seems like an inventive move in abusing cloud possibilities. How sophisticated is their understanding of cloud environments, and are creative attacks like this a sign of things to come?

Aaron Walton: Many individuals within the Com are quite adept with cloud infrastructure. This knowledge serves their objectives—whether they’re after specific data or access. When we see customers targeted by Scattered Spider proper or the Atlas Lion threat group, they immediately focus on cloud infrastructure.

Attackers typically have playbooks outlining what to look for once they gain access. Unlike many threat actors, the Com is more western-based, making them more familiar with business processes. This knowledge helps them navigate how to gain specific types of access.

The follow-up and persistence

Ben Baker: After being detected, the Atlas Lion threat group didn’t give up. Jenni, how did you connect what you saw to earlier activity?

Jenni Maynard: With widespread attack vectors like SMS phishing, your work doesn’t end after identifying a compromised account or device registration. We entered an active response phase where daily we examined IOCs and techniques, rescoping as needed and scrutinizing any vendor alerts for logins or other activity.

During this process, we identified other compromised accounts. Understanding the attacker’s access and motivation helped us continue scoping the incident. Even after disabling compromised accounts, we needed to determine what resources the attacker had accessed. We found many compromised accounts, and observed attempts at social engineering the help desk.

Ben Baker: One thing that stood out was the speed of the attacker—accessing 19 apps and 111 SharePoint pages in minutes. Is that speed a dead giveaway?

Jenni Maynard: It varies. As Aaron mentioned, these actors have playbooks, so once they gain initial access, they know exactly what they want to do—which SharePoint queries to run, which files to look for. More sophisticated, targeted attackers move quickly after gaining access, working through their playbook and setting up persistence mechanisms before they get detected and ejected from the environment.

Aaron Walton: This is common behavior. Attackers invest heavily in campaigns and have backup plans ready. Atlas Lion sets up dedicated infrastructure before launching SMS phishing, prepared to act immediately when they get credentials. They ensure multiple attack paths so if one method hits a barrier, they can try another. This approach maximizes their chances of success and ability to establish persistence.

We see this with different types of attackers. For instance, ransomware attackers often deploy multiple backdoors—using two or three commercial remote management tools while also setting up their own unique backdoor.

Social engineering tactics

Ben Baker: Ben, you and Jenni wrote about their clever ticket-raising tactic to get Confluence access. How can IT teams better protect against social engineering attempts in their own support systems?

Ben Nahorney: The attackers wanted information from Confluence, but the compromised user didn’t have access. So they simply logged an IT ticket in that user’s name—ingeniously simple but effective.

For IT teams, the key question is whether the user truly needs that access. If someone in marketing is requesting access to low-level system documentation, the answer is probably no. Another challenge is verifying identity. Instead of just communicating through the ticketing system, contact the user through another channel like instant messaging.

Aaron Walton: Within Expel, these types of requests always require manager approval, adding another layer of verification. The Com is known for trying to access messaging platforms like Slack or Teams, so it’s important to have controls and be mindful when something seems unusual.

Jenni Maynard: In this case, the attacker was particularly scrupulous. Rather than setting up inbox rules to delete emails, they were actively monitoring the account and individually deleting emails from the ServiceNow ticketing system as they arrived.

Practical takeaways

Ben Baker: What practical actions can security teams implement starting today to protect against attacks like this?

Aaron Walton: Requiring login from managed devices can stop these attacks. Even if SIM swapping occurs, the restriction of requiring a managed device provides crucial protection. While this might seem burdensome for some organizations, it’s essential for blocking attackers from gaining entry.

Ben Nahorney: The enrollment policies in place were what stopped the most interesting aspect of this attack. When the VM was automatically enrolled, Microsoft Defender was installed and caught the threat immediately. Their policies worked to catch the unusual aspects of this attack.

Aaron Walton: When organizations have unmanaged devices or devices without visibility, attackers essentially have free reign. Requiring devices to be managed with EDR agents makes a significant difference.

Jenni Maynard: For retail organizations specifically targeted by the Atlas Lion threat group, it may not be feasible to require managed device logins if you have store workers logging in from personal phones. In these cases, consider scenarios where attackers aim to move laterally into your network environment. We sometimes focus solely on data access in cloud incidents without considering network access. Plan for that situation and how you’ll address it.

Industry Recommendations: Security experts recommend several additional defenses against Atlas Lion and Scattered Spider. According to The Sec Master, organizations should implement phishing-resistant MFA (FIDO/WebAuthn or PKI-based), apply network segmentation to restrict lateral movement, and follow cloud security best practices. ChaosSearch emphasizes the importance of threat intelligence and comprehensive log analysis to detect indicators of compromise such as repeated failed login attempts, unusual file transfers, or unexpected privilege escalations. CISA and FBI guidance on Scattered Spider recommends implementing application controls, limiting the use of Remote Desktop Protocol, and carefully monitoring for social engineering attempts.

External Resources on Scattered Spider and the Atlas Lion threat group

• Microsoft Cyber Signals Report on Gift Card Fraud
• CISA Advisory on Scattered Spider
• Intel 471: Threat Actors Target Gift Card Issuing Systems
• Silent Push: Scattered Spider in 2025
• Wiz Cloud Threat Landscape: Atlas Lion Phishing Campaign
• CrowdStrike: Scattered Spider Threat Actor Profile

This transcript has been edited for clarity and readability.

For more information about Expel’s services and threat research, visit expel.com/blog or follow us on LinkedIn.