Scattered Spider exploits Slack and Microsoft Teams in latest Ransomware campaign

 

The FBI and UK’s NCSC have issued a joint advisory warning that the ransomware group Scattered Spider is now exploiting popular collaboration tools like Slack and Microsoft Teams to gain unauthorised access to enterprise networks.

 

The group, also known as UNC3944 or 0ktapus, is deploying advanced social engineering techniques by impersonating employees to trick internal users and IT support into handing over credentials or resetting passwords. 

 

Instead of relying on phishing emails, the attackers now hijack or create new accounts on workplace platforms to initiate chats that appear legitimate. Once inside, they request password resets, escalate privileges, or deliver malicious payloads, often using tactics like push-bombing (MFA fatigue) and SIM-swapping.

 

This shift toward business communication compromise reflects a growing trend in threat actor tactics, leveraging trusted internal tools to bypass traditional email security measures.

 

The attackers have been linked to high-profile breaches across telecoms, retail, healthcare, and airlines, using the DragonForce ransomware variant, along with data theft and extortion.

 

Security researchers say the success of these attacks lies in the misplaced trust users place in internal communication channels. 

 

Authorities further note that identity providers such as Okta, and cloud platforms like Snowflake, are increasingly being targeted to expand access and hinder incident response.

 

Organisations are urged to monitor internal platforms, enforce strict identity verification, and educate users about the growing threat of social engineering within trusted tools.