For awareness
Recent reporting highlights the continued effectiveness of social engineering as a primary access vector, particularly when directed at IT help desks and support teams. A cybercrime collective operating under the name Scattered Lapsus$ Hunters has been observed actively recruiting English‑speaking individuals to carry out scripted phone‑based impersonation attacks against organisations’ service desks; suggesting these groups are currently re-tooling in anticipation of another wave of attacks, which may align a repeat of 2025's 'Easter Takedown' of a number of high profile UK retail and manufacturing businesses.
Scattered Lapsus$ Hunters is closely associated with Scattered Spider and ShinyHunters – three English‑speaking cybercrime groups that have demonstrated repeated success by targeting people and process, rather than exploiting technical vulnerabilities. Their typical objective is to persuade support staff to reset credentials, modify MFA enrolments, or grant access to systems by impersonating legitimate users. During 2025, several major UK retail organisations were compromised through help desk and service provider impersonation, resulting in operational disruption, data loss, and long‑running recovery efforts that in some cases are still ongoing today.
Once initial access is achieved, the attack chain is familiar:
- Abuse of valid credentials to blend into normal activity
- Rapid privilege escalation and lateral movement
- Data exfiltration for leverage
- Ransomware deployment or extortion
The common thread across these incidents is that security controls were bypassed by exploiting trust, often under time pressure, rather than by defeating technical safeguards.
These incidents reinforce a critical point: help desks, support teams, and third‑party service providers are now a frontline security control.
Organisations should treat requests involving:
- Password resets
- MFA changes
- Device or account recovery
- Access to collaboration platforms
as high‑risk security events, requiring strong identity verification, clear escalation paths, and consistent enforcement – even when requests appear routine or urgent.
What Advania is seeing
In recent weeks, Advania has observed an increase in impersonation and social engineering activity leveraging Microsoft Teams, including:
- External users posing as internal staff
- Compromised accounts initiating convincing internal‑looking conversations
- Attackers using Teams chat to build trust before pivoting to credential requests or follow‑on phishing
This reinforces the importance of reviewing Microsoft Teams guest access and external collaboration controls, including:
- Who can invite external users
- How external users are clearly identified
- Whether support or IT accounts are appropriately protected
As attackers continue to professionalise their social engineering operations, defensive maturity around identity, collaboration platforms, and human decision‑making will increasingly determine resilience.
Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup,
Scattered Lapsus$ Hunters seeks women to defraud helpdesks • The Register
Deceptive IT Support Lure on Microsoft Teams Delivers Stealthy Backdoor - The Advania Community
