Scattered Spider, the collective cyber-threat group suspected in the hacks of multiple retail brands in the United Kingdom, Europe and the U.S., is now targeting managed service providers and IT vendors as part of a sophisticated campaign to infiltrate customers of those companies, according to a report released on Friday from Reliaquest.

The threat group has used social engineering techniques to trick workers into providing access to these various organizations, so the attackers can gain access to credentials and bypass multifactor authentication. 

“Scattered Spider is known to use social engineering techniques to impersonate top executives or other high-ranking employees,” said Brandon Tirado, director of threat research at Reliaquest. “They contact help desk staff with urgent and convincing requests, such as resetting passwords, granting privileged access or provisioning new MFA devices.” 

The analysis shows 81% of Scattered Spider domains impersonated technology vendors. Some 70% of Scattered Spider targets were in the technology, finance and retail sectors. 

Reliaquest analyzed more than 600 domains linked to Scattered Spider through indicators of compromise evidence that was shared by cyber forensic researchers between the first quarter of 2022 through 2025. 

The researches identified domain registrations based on previously known threat activity patterns. Domains and subdomains contained specific keywords, including “Okta,” “helpdesk,” “vpn” and “sso.”

As previously reported, Scattered Spider worked with DragonForce to target an MSP by exploiting SimpleHelp vulnerabilities. Researchers at Sophos disclosed the attack in late May.

In addition, Tata Consultancy has been investigating whether hackers used the third-party IT vendor as a gateway in the attack against Marks & Spencer, according to a report by the Financial Times. 

A spokesperson for Tata was not immediately available.