In current weeks, Microsoft has noticed Octo Tempest, also referred to as Scattered Spider, impacting the airways sector, following earlier exercise impacting retail, meals companies, hospitality organizations, and insurance coverage between April and July 2025. This aligns with Octo Tempest’s typical patterns of concentrating on one business for a number of weeks or months earlier than transferring on to new targets. Microsoft Safety merchandise proceed to replace safety protection as these shifts happen.
To assist shield and inform clients, this weblog highlights the safety protection throughout the Microsoft Defender and Microsoft Sentinel safety ecosystem and supplies safety posture hardening suggestions to guard towards risk actors like Octo Tempest.
Overview of Octo Tempest
Octo Tempest, additionally identified within the business as Scattered Spider, Muddled Libra, UNC3944, or 0ktapus, is a financially motivated cybercriminal group that has been noticed impacting organizations utilizing various strategies of their end-to-end assaults. Their strategy contains:
- Gaining preliminary entry utilizing social engineering assaults and impersonating a consumer and contacting service desk assist via cellphone calls, emails, and messages.
- Quick Message Service (SMS)-based phishing utilizing adversary-in-the-middle (AiTM) domains that mimic respectable organizations.
- Utilizing instruments equivalent to ngrok, Chisel, and AADInternals.
- Impacting hybrid identification infrastructures and exfiltrating knowledge to assist extortion or ransomware operations.
Latest exercise reveals Octo Tempest has deployed DragonForce ransomware with a selected concentrate on VMWare ESX hypervisor environments. In distinction to earlier patterns the place Octo Tempest used cloud identification privileges for on-premises entry, current actions have concerned impacting each on-premises accounts and infrastructure on the preliminary stage of an intrusion earlier than transitioning to cloud entry.
Octo Tempest detection protection
Microsoft Defender has a variety of detections to detect Octo Tempest associated actions and extra. These detections span throughout all areas of the safety portfolio together with endpoints, identities, software program as a service (SaaS) apps, e mail and collaboration instruments, cloud workloads, and extra to supply complete safety protection. Proven under is a listing of identified Octo Tempest techniques, methods, and procedures (TTPs) noticed in current assault chains mapped to detection protection.
| Tactic | Approach | Microsoft Safety Protection (non-exhaustive) |
| Preliminary Entry | Initiating password reset on track’s credentials | Uncommon consumer password reset in your digital machine; (MDC) |
| Discovery | Persevering with environmental reconnaissance | Suspicious credential dump from NTDS.dit; (MDE) Account enumeration reconnaissance; (MDI) Community-mapping reconnaissance (DNS); (MDI) Person and IP deal with reconnaissance (SMB); (MDI) Person and Group membership reconnaissance (SAMR); (MDI) Energetic Listing attributes reconnaissance (LDAP); (MDI) |
| Credential Entry, Lateral Motion | Figuring out Tier-0 property | Mimikatz credential theft software; (MDE) ADExplorer amassing Energetic Listing info; (MDE) Safety principal reconnaissance (LDAP); (MDI) Suspicious Azure position task detected; (MDC) Suspicious elevate entry operation; (MDC) Suspicious area added to Microsoft Entra ID; (MDA) Suspicious area belief modification following dangerous sign-in; (MDA) |
| Gathering further credentials | Suspected DCSync assault (replication of listing companies); (MDI) Suspected AD FS DKM key learn; (MDI) | |
| Accessing enterprise environments with VPN and deploying VMs with instruments to keep up entry in compromised environments | ‘Ngrok’ hacktool was prevented; (MDE) ‘Chisel’ hacktool was prevented; (MDE) Presumably malicious use of proxy or tunneling software; (MDE) Potential Octo Tempest-related machine registered (MDA) | |
| Protection Evasion, Persistence | Leveraging EDR and administration tooling | Tampering exercise typical to ransomware assaults; (MDE) |
| Persistence, Execution | Putting in a trusted backdoor | ADFS persistent backdoor; (MDE) |
| Actions on Goals | Staging and exfiltrating stolen knowledge | Potential exfiltration of archived knowledge; (MDE) Knowledge exfiltration over SMB; (MDI) |
| Deploying ransomware | ‘DragonForce’ ransomware was prevented; (MDE) Potential hands-on-keyboard pre-ransom exercise; (MDE) |
Disrupting Octo Tempest assaults
Disrupt in-progress assaults with computerized assault disruption:
Assault disruption is Microsoft Defender’s distinctive, built-in self-defense functionality that consumes multi-domain alerts, the newest risk intelligence, and AI-powered machine studying fashions to mechanically predict and disrupt an attacker’s subsequent transfer by containing the compromised asset (consumer, machine). This expertise makes use of a number of potential indicators and behaviors, together with all of the detections listed above, doable Microsoft Entra ID sign-in makes an attempt, doable Octo Tempest-related sign-in actions and correlate them throughout the Microsoft Defender workloads right into a high-fidelity incident.
Primarily based on earlier learnings from common Octo Tempest methods, assault disruption will mechanically disable the consumer account utilized by Octo Tempest and revokes all present lively periods by the compromised consumer.
Whereas assault disruption can include the assault by reducing off the attacker, it’s important for safety operations heart (SOC) groups to conduct incident response actions and post-incident evaluation to assist make sure the risk is absolutely contained and remediated.
Examine and hunt for Octo Tempest associated exercise:
Octo Tempest is infamously identified for aggressive social engineering techniques, usually impacting people with particular permissions to achieve respectable entry and transfer laterally via networks. To assist organizations establish these actions, clients can use Microsoft Defender’s superior searching functionality to proactively examine and reply to threats throughout their atmosphere. Analysts can question throughout each first- and third-party knowledge sources powered by Microsoft Defender XDR and Microsoft Sentinel. Along with these tables, analysts may use publicity insights from Microsoft Safety Publicity Administration.
Utilizing superior searching and the Publicity Graph, defenders can proactively assess and hunt for the risk actor’s associated exercise and establish which customers are probably to be focused and what would be the impact of a compromise, strengthening defenses earlier than an assault happens.
Proactive protection towards Octo Tempest
Microsoft Safety Publicity Administration, accessible within the Microsoft Defender portal, equips safety groups with capabilities equivalent to important asset safety, risk actor initiatives, and assault path evaluation that allow safety groups to proactively scale back publicity and mitigate the affect of Octo Tempest’s hybrid assault techniques.
Guarantee important property keep protected
Prospects ought to guarantee important property are labeled as important within the Microsoft Defender portal to generate related assault paths and suggestions in initiatives. Microsoft Defender mechanically identifies important gadgets in your atmosphere, however groups must also create customized guidelines and develop important asset identifiers to reinforce safety.
Take motion to reduce affect with initiatives
Publicity Administration’s initiatives function supplies goal-driven packages that unify key insights to assist groups harden defenses and act quick on actual threats. To deal with probably the most urgent dangers associated to Octo Tempest, we suggest organizations start with the initiatives under:
- Octo Tempest Risk Initiative: Octo Tempest is understood for techniques like extracting credentials from Native Safety Authority Subsystem Service (LSASS) utilizing instruments like Mimikatz and signing in from attacker-controlled IPs—each of which will be mitigated via controls like assault floor discount (ASR) guidelines and sign-in insurance policies. This initiative brings these mitigations collectively right into a targeted program, mapping real-world attacker behaviors to actionable controls that assist scale back publicity and disrupt assault paths earlier than they escalate.
- Ransomware Initiative: A broader initiative targeted on lowering publicity to extortion-driven assaults via hardening identification, endpoint, and infrastructure layers. This can present suggestions tailor-made to your group.
![A screenshot of the Actor Profile: Octo Tempest [Preview] dashboard.](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2025/07/Actor-Profile.webp)
Examine on-premises and hybrid assault paths
Safety groups can use assault path evaluation to hint cross-domain threats—like these utilized by Octo Tempest—who’ve exploited the important Entra Join server to pivot into cloud workloads, escalate privileges, and develop their attain. Groups can use the ‘Chokepoint’ view within the assault path dashboard to spotlight entities showing in a number of paths, making it simple to filter for helpdesk-linked accounts, a identified Octo goal, and prioritize their remediation.
Given Octo Tempest’s hybrid assault technique, a consultant assault path could appear like this:
Suggestions
In in the present day’s risk panorama, proactive safety is important. By following safety finest practices, you scale back the assault floor and restrict the potential affect of adversaries like Octo Tempest. Microsoft recommends implementing the next to assist strengthen your general posture and keep forward of threats:
Id safety suggestions
Endpoint safety suggestions
- Allow Microsoft Defender Antivirus cloud-delivered safety for Linux.
- Activate Microsoft Defender Antivirus real-time safety for Linux.
- Allow Microsoft Defender for Endpoint EDR in block mode to dam submit breach malicious conduct on the machine via conduct blocking and containment capabilities.
- Activate tamper safety that basically prevents Microsoft Defender for Endpoint (your safety settings) from being modified.
- Block credential stealing from the Home windows native safety authority subsystem: Assault floor discount (ASR) guidelines are the simplest methodology for blocking the commonest assault methods being utilized in cyber-attacks and malicious software program.
- Activate Microsoft Defender Credential Guard to isolate secrets and techniques so that solely privileged system software program can entry them.
Cloud safety suggestions
- Key Vaults ought to have purge safety enabled to stop fast, irreversible deletion of vaults and secrets and techniques.
- To scale back dangers of overly permissive inbound guidelines on digital machines’ administration ports, allow just-in-time (JIT) community entry management.
- Microsoft Defender for Cloud recommends encrypting knowledge with customer-managed keys (CMK) to assist strict compliance or regulatory necessities. To scale back danger and enhance management, allow CMK to handle your individual encryption keys via Microsoft Azure Key Vault.
- Allow logs in Azure Key Vault and retain them for as much as a 12 months. This allows you to recreate exercise trails for investigation functions when a safety incident happens or your community is compromised.
- Microsoft Azure Backup must be enabled for digital machines to guard the information in your Microsoft Azure digital machines, and to create restoration factors which are saved in geo-redundant restoration vaults.
Discover safety options
To study extra about Microsoft Safety options, go to our web site. Bookmark the Microsoft Safety weblog to maintain up with our knowledgeable protection on safety issues.
Additionally, comply with us on Microsoft Safety LinkedIn and @MSFTSecurity on X for the newest information and updates on cybersecurity.
