In latest weeks, Microsoft has noticed Octo Tempest, often known as Scattered Spider, impacting the airways sector, following earlier exercise impacting retail, meals companies, hospitality organizations, and insurance coverage between April and July 2025. This aligns with Octo Tempest’s typical patterns of concentrating on one trade for a number of weeks or months earlier than shifting on to new targets. Microsoft Safety merchandise proceed to replace safety protection as these shifts happen.
To assist defend and inform prospects, this weblog highlights the safety protection throughout the Microsoft Defender and Microsoft Sentinel safety ecosystem and offers safety posture hardening suggestions to guard towards menace actors like Octo Tempest.
Overview of Octo Tempest
Octo Tempest, additionally recognized within the trade as Scattered Spider, Muddled Libra, UNC3944, or 0ktapus, is a financially motivated cybercriminal group that has been noticed impacting organizations utilizing various strategies of their end-to-end assaults. Their strategy consists of:
Gaining preliminary entry utilizing social engineering assaults and impersonating a consumer and contacting service desk assist by cellphone calls, emails, and messages.
Brief Message Service (SMS)-based phishing utilizing adversary-in-the-middle (AiTM) domains that mimic official organizations.
Utilizing instruments corresponding to ngrok, Chisel, and AADInternals.
Impacting hybrid id infrastructures and exfiltrating knowledge to assist extortion or ransomware operations.
Latest exercise exhibits Octo Tempest has deployed DragonForce ransomware with a specific concentrate on VMWare ESX hypervisor environments. In distinction to earlier patterns the place Octo Tempest used cloud id privileges for on-premises entry, latest actions have concerned impacting each on-premises accounts and infrastructure on the preliminary stage of an intrusion earlier than transitioning to cloud entry.
Octo Tempest detection protection
Microsoft Defender has a variety of detections to detect Octo Tempest associated actions and extra. These detections span throughout all areas of the safety portfolio together with endpoints, identities, software program as a service (SaaS) apps, electronic mail and collaboration instruments, cloud workloads, and extra to offer complete safety protection. Proven beneath is an inventory of recognized Octo Tempest techniques, methods, and procedures (TTPs) noticed in latest assault chains mapped to detection protection.
Tactic Approach Microsoft Safety Protection (non-exhaustive) Preliminary Entry Initiating password reset on the right track’s credentials Uncommon consumer password reset in your digital machine; (MDC) Discovery Persevering with environmental reconnaissance Suspicious credential dump from NTDS.dit; (MDE)
Account enumeration reconnaissance; (MDI)
Community-mapping reconnaissance (DNS); (MDI)
Person and IP deal with reconnaissance (SMB); (MDI)
Person and Group membership reconnaissance (SAMR); (MDI)
Energetic Listing attributes reconnaissance (LDAP); (MDI) Credential Entry, Lateral Motion Figuring out Tier-0 property Mimikatz credential theft device; (MDE)
ADExplorer accumulating Energetic Listing data; (MDE)
Safety principal reconnaissance (LDAP); (MDI)
Suspicious Azure function project detected; (MDC)
Suspicious elevate entry operation; (MDC)
Suspicious area added to Microsoft Entra ID; (MDA)
Suspicious area belief modification following dangerous sign-in; (MDA) Accumulating further credentials Suspected DCSync assault (replication of listing companies); (MDI)
Suspected AD FS DKM key learn; (MDI) Accessing enterprise environments with VPN and deploying VMs with instruments to keep up entry in compromised environments ‘Ngrok’ hacktool was prevented; (MDE)
‘Chisel’ hacktool was prevented; (MDE)
Probably malicious use of proxy or tunneling device; (MDE)
Potential Octo Tempest-related machine registered (MDA) Protection Evasion, Persistence Leveraging EDR and administration tooling Tampering exercise typical to ransomware assaults; (MDE) Persistence, Execution Putting in a trusted backdoor ADFS persistent backdoor; (MDE) Actions on Targets Staging and exfiltrating stolen knowledge Potential exfiltration of archived knowledge; (MDE)
Knowledge exfiltration over SMB; (MDI) Deploying ransomware ‘DragonForce’ ransomware was prevented; (MDE)
Potential hands-on-keyboard pre-ransom exercise; (MDE) Be aware: The listing will not be exhaustive. A full listing of accessible detections will be discovered within the Microsoft Defender portal.
Disrupting Octo Tempest assaults
Disrupt in-progress assaults with computerized assault disruption:
Assault disruption is Microsoft Defender’s distinctive, built-in self-defense functionality that consumes multi-domain indicators, the newest menace intelligence, and AI-powered machine studying fashions to robotically predict and disrupt an attacker’s subsequent transfer by containing the compromised asset (consumer, machine). This know-how makes use of a number of potential indicators and behaviors, together with all of the detections listed above, potential Microsoft Entra ID sign-in makes an attempt, potential Octo Tempest-related sign-in actions and correlate them throughout the Microsoft Defender workloads right into a high-fidelity incident.
Primarily based on earlier learnings from fashionable Octo Tempest methods, assault disruption will robotically disable the consumer account utilized by Octo Tempest and revokes all present energetic periods by the compromised consumer.
Whereas assault disruption can comprise the assault by chopping off the attacker, it’s essential for safety operations middle (SOC) groups to conduct incident response actions and post-incident evaluation to assist make sure the menace is absolutely contained and remediated.
Examine and hunt for Octo Tempest associated exercise:
Octo Tempest is infamously recognized for aggressive social engineering techniques, usually impacting people with particular permissions to realize official entry and transfer laterally by networks. To assist organizations determine these actions, prospects can use Microsoft Defender’s superior looking functionality to proactively examine and reply to threats throughout their setting. Analysts can question throughout each first- and third-party knowledge sources powered by Microsoft Defender XDR and Microsoft Sentinel. Along with these tables, analysts may also use publicity insights from Microsoft Safety Publicity Administration.
Utilizing superior looking and the Publicity Graph, defenders can proactively assess and hunt for the menace actor’s associated exercise and determine which customers are most certainly to be focused and what would be the impact of a compromise, strengthening defenses earlier than an assault happens.
Proactive protection towards Octo Tempest
Microsoft Safety Publicity Administration, accessible within the Microsoft Defender portal, equips safety groups with capabilities corresponding to essential asset safety, menace actor initiatives, and assault path evaluation that allow safety groups to proactively cut back publicity and mitigate the influence of Octo Tempest’s hybrid assault techniques.
Guarantee essential property keep protected
Clients ought to guarantee essential property are categorized as essential within the Microsoft Defender portal to generate related assault paths and proposals in initiatives. Microsoft Defender robotically identifies essential gadgets in your setting, however groups must also create customized guidelines and develop essential asset identifiers to reinforce safety.
Take motion to reduce influence with initiatives
Publicity Administration’s initiatives characteristic offers goal-driven packages that unify key insights to assist groups harden defenses and act quick on actual threats. To handle probably the most urgent dangers associated to Octo Tempest, we suggest organizations start with the initiatives beneath:
Octo Tempest Risk Initiative: Octo Tempest is thought for techniques like extracting credentials from Native Safety Authority Subsystem Service (LSASS) utilizing instruments like Mimikatz and signing in from attacker-controlled IPs—each of which will be mitigated by controls like assault floor discount (ASR) guidelines and sign-in insurance policies. This initiative brings these mitigations collectively right into a targeted program, mapping real-world attacker behaviors to actionable controls that assist cut back publicity and disrupt assault paths earlier than they escalate.
Ransomware Initiative: A broader initiative targeted on decreasing publicity to extortion-driven assaults by hardening id, endpoint, and infrastructure layers. This may present suggestions tailor-made on your group.
Examine on-premises and hybrid assault paths
Safety groups can use assault path evaluation to hint cross-domain threats—like these utilized by Octo Tempest—who’ve exploited the essential Entra Join server to pivot into cloud workloads, escalate privileges, and develop their attain. Groups can use the ‘Chokepoint’ view within the assault path dashboard to spotlight entities showing in a number of paths, making it simple to filter for helpdesk-linked accounts, a recognized Octo goal, and prioritize their remediation.
Given Octo Tempest’s hybrid assault technique, a consultant assault path might appear to be this:
Suggestions
In right now’s menace panorama, proactive safety is important. By following safety greatest practices, you cut back the assault floor and restrict the potential influence of adversaries like Octo Tempest. Microsoft recommends implementing the next to assist strengthen your total posture and keep forward of threats:
Id safety suggestions
Endpoint safety suggestions
Allow Microsoft Defender Antivirus cloud-delivered safety for Linux.
Activate Microsoft Defender Antivirus real-time safety for Linux.
Allow Microsoft Defender for Endpoint EDR in block mode to dam put up breach malicious habits on the machine by habits blocking and containment capabilities.
Activate tamper safety that primarily prevents Microsoft Defender for Endpoint (your safety settings) from being modified.
Block credential stealing from the Home windows native safety authority subsystem: Assault floor discount (ASR) guidelines are the best technique for blocking the most typical assault methods being utilized in cyber-attacks and malicious software program.
Activate Microsoft Defender Credential Guard to isolate secrets and techniques so that solely privileged system software program can entry them.
Cloud safety suggestions
Key Vaults ought to have purge safety enabled to forestall fast, irreversible deletion of vaults and secrets and techniques.
To scale back dangers of overly permissive inbound guidelines on digital machines’ administration ports, allow just-in-time (JIT) community entry management.
Microsoft Defender for Cloud recommends encrypting knowledge with customer-managed keys (CMK) to assist strict compliance or regulatory necessities. To scale back threat and enhance management, allow CMK to handle your personal encryption keys by Microsoft Azure Key Vault.
Allow logs in Azure Key Vault and retain them for as much as a 12 months. This allows you to recreate exercise trails for investigation functions when a safety incident happens or your community is compromised.
Microsoft Azure Backup needs to be enabled for digital machines to guard the info in your Microsoft Azure digital machines, and to create restoration factors which can be saved in geo-redundant restoration vaults.
Discover safety options
To study extra about Microsoft Safety options, go to our web site. Bookmark the Microsoft Safety weblog to maintain up with our knowledgeable protection on safety issues.
Additionally, comply with us on Microsoft Safety LinkedIn and @MSFTSecurity on X for the newest information and updates on cybersecurity.
I love how you write—it’s like having a conversation with a good friend. Can’t wait to read more!This post pulled me in from the very first sentence. You have such a unique voice!Seriously, every time I think I’ll just skim through, I end up reading every word. Keep it up!Your posts always leave me thinking… and wanting more. This one was no exception!Such a smooth and engaging read—your writing flows effortlessly. Big fan here!Every time I read your work, I feel like I’m right there with you. Beautifully written!You have a real talent for storytelling. I couldn’t stop reading once I started.The way you express your thoughts is so natural and compelling. I’ll definitely be back for more!Wow—your writing is so vivid and alive. It’s hard not to get hooked!You really know how to connect with your readers. Your words resonate long after I finish reading.