Buy different
Business internet
Direct Internet for
SMEEnterpriseReal EstatePublic SectorChannel
Connectivity products
Direct InternetDiverse Direct InternetManaged FailoverDDoS ProtectionCloud ConnectRapid Install
Resources
Content & case studiesEventsFAQs
Contact
Get in touch
Back to blogs
Insights

Marks & Spencer cyberattack: Scattered Spider

August 12, 2025

|

8

min read

Follow me on Linkedin as

Highlights

Marks & Spencer suffered a major cyberattack by Scattered Spider, involving credential theft, data exportation, and ransomware. This breach breakdown outlines what happened and what could have helped prevent the attack.

Breach breakdown

In April 2025, Marks & Spencer (M&S) was hit by a serious cyberattack, and not by amateurs. The group behind it, known as Scattered Spider (also known as UNC3944 or Octo Tempest) has a track record. They’ve already taken on major U.S. giants like Caesars Entertainment and MGM Resorts.

Our 40Fi DFND team has done a deep dive into what happened and, more importantly, how businesses like yours can stay protected.

Figure 1: M&S store front

Want practical, jargon-free cybersecurity advice tailored for your business?
Join our free workshop with the City of London Police. Register now.

How they got in

Scattered Spider used smart, targeted phishing emails and impersonated IT staff to trick people into handing over their credentials. They even used a tactic called "MFA fatigue", which consisted of spamming employees with repeated login requests until one was mistakenly approved.

Threat intelligence researcher, Lontz reported on suspected Scattered Spider infrastructure (see figure 2), involving fake domains designed to mimic legitimate login pages of well-known websites. A spoofed company login page could have been created to get access to M&S employee login details.

Figure 2: Lontz malicious domain post via X

What happened after they got in

Initial access to M&S systems is believed to have been as early as February. Once in, the attackers used stolen administrative credentials to deploy legitimate remote administration tools (RATs). This gave them ongoing control over key systems (including employee devices), helping them stay hidden while moving through the network.

Here's what they did:
  • Installed remote desktop access tools like AnyDesk and TeamViewer - the same kind real IT teams would use
  • Moved around through different M&S’s internal systems to grab as much data as possible
  • Targeted critical assets like password databases and user credentials

Finally, they created secret access points, hidden accounts, and scheduled tasks to make sure they could stay inside the company's network without getting noticed.

The attack

On April 24, Scattered Spider launched the DragonForce ransomware attack on M&S’ VMware ESXi servers, encrypting virtual machines that powered key systems for e-commerce, payment processing, and logistics (see figure 3).

Figure 3: DragonForce ransom note and negotiation software

As a result, M&S had no choice but to shut down key systems entirely (including online orders and contactless payments), and call in top cybersecurity experts from CrowdStrike, Microsoft, and Fenix24 to contain the damage and start the recovery process (see figure 4).

Figure 4: M&S online website having paused online orders

What this means for you

While M&S is a major player, the tactics used in this breach aren’t just for corporations, they work just as well against small businesses. Groups like Scattered Spider rely on common tools and stolen identities to gain trust and slip past normal security. The key lesson? Always verify the people and systems you rely on, whether they’re inside your team or external partners.

What you can do to improve cybersecurity for your business

5 quick wins to protect your business
  1. Train your team – teach employees to spot dodgy emails, spoofed links, and sketchy login pages.
  2. Use strong passwords – create long, complex passwords that include a mix of uppercase and lowercase letters, numbers, and special characters. Never reuse passwords across different accounts.
  3. Enable multi-factor authentication (MFA) – this adds an extra layer of security beyond just a password.
  4. Stay vigilent – do not open email attachments or click on links unless you are certain of their legitimacy. If you have any doubts, report the email to your security team immediately.
  5. Report suspicious activity fast – if you receive unexpected MFA prompts, suspicious login alerts, or calls requesting your credentials, report them to your security team as soon as possible.

Additional information

Get in touch.

Tell us about yourself so we can serve you best.

Got a question?

No items found.

More articles

Two UK telecoms professionals working with fibre cables.
Thought leadership
August 11, 2025
Business broadband vs leased line: the key differences (plus comparison table)
Read More

Business broadband vs leased line: the key differences?

Expert conclusion: The label ‘business broadband’ doesn’t really mean anything – the term covers a wide range of services, each with very different experiences. Get into the details, and save yourself a lot of frustration and disappointment.

Broadband vs leased line explained

  • Broadband: A standard, shared internet connection typically designed for home use, but sometimes used in small offices. Speeds can vary, especially during busy times, and upload speeds are often much lower than downloads – which can limit performance for modern business applications.
  • Leased line: A private, dedicated connection between your premises and your provider. Symmetrical speeds, guaranteed performance, and no sharing with neighbours - specifically designed to meet the demands of modern business connectivity.

What is business broadband?

Most of the time, it’s just the same product as the ISP (Internet Service Provider) sells to their residential customers, but more expensive and probably bundled with a low-level cyber security product.

It has a dedicated web page, with stock photos of people doing business. And it comes with some comforting words to tell you that they know how hard business is. Excruciating.

Your traffic isn’t prioritised. Your connection isn’t dedicated. And if you have an ‘account manager’, they’re probably responsible for literally thousands of customers like you.

If you pay more, you might get a commitment to investigate faults within a given time – usually within a day.

When you’re looking for business broadband, bear these things in mind. Look at the details to see if you’re simply being sold a standard home broadband package disguised as a business solution.

What does great internet connectivity for business look like?

It’s very easy to call something business broadband. But it’s a very different thing to provide internet connectivity that’s genuinely fast and reliable enough for London business in 2025.

One of the fundamental features of an internet product for business is a dedicated connection.

‘Broadband’ or ‘FTTP’ (that’s Fibre to the Premise) means that the service you’re paying for is shared between you and typically 30 of your neighbours – whether they’re houses or other businesses.

So when you have a broadband or FTTP connection, don’t expect to get the Gbps speeds you’ve paid for at busy times (which is most of the working day). It’s cheap, and it connects. But it’s not a product that you can rely on to keep your business running.

At the busiest times, you'll have to hope that it’ll give you what you need. That might mean putting up with a poor-quality video call, a painful wait downloading a PowerPoint, or an eternity for every employee to log in to Teams at 9am.

Internet connectivity that you and your business can rely on is going to be dedicated to you, and that means taking a leased line (also knows as DIA, or direct internet access).

What is the difference between business broadband and business leased line or ‘dedicated’ internet (DIA)?

One word: reliability.

That’s the key difference between the experience of these two technologies: how much you can rely on your connection, and how that impacts your business. We see it in every customer interaction as they move from broadband to direct internet – the shackles are off.

While business broadband infrastructure is shared with the businesses and houses around you, leased line (or direct internet) infrastructure is dedicated to you – it isn’t shared with anyone.

It’s your connection, and every bit of the bandwidth you’re paying for is yours. It’s guaranteed. Always giving you the internet speed and capacity you need, no matter how busy things get.

The whole Manchester office coming down for a team day? No problem. Sending a broadcast-quality video file to a client on a deadline? Easy. Worrying about signing up to a new cloud-based software for project management? Don’t. Putting the CEO on a video call that has to be perfect? Do it.  

A 10Gbps leased line ensures you always have the speed you need. It’s a service you and your business can rely on.

What are the key features of business leased line and business broadband?

Leased line:

• Dedicated to one customer – a dedicated, private cable between your office and your provider's data centre

• Symmetrical – you get the same upload speed as download speed

• Highly reliable

Broadband:

• Shared circuit by up to 32 users

• Usually asymmetrical – upload typically much slower than download

• Prone to performance issues, particularly during the working day

The technology explained

We’ve covered the difference in experience, but what’s the technology difference?

A ‘leased line’ is a dedicated fibre connection between your office space and your provider’s spot in a data centre (often called a Point of Presence, or PoP). This is where your connection reaches the internet or cloud.

Your proximity to the provider’s data centre is important for latency – which is the speed at which things happen online. It’s not to be confused with upload and download speed, which is how long content takes to get to/from you. It’s more like how quickly the order you give is obeyed.

Two more important features of a leased line network are how many data centres your provider connects to, and how many diverse routes they have between you and those centres.

More than one data centre, and numerous routes equals resilience. And resilience is vital in business internet connections. If one route gets blocked, your data has alternative routes so there's no disruption.

Leased lines use fibre, but they’re not like residential broadband as the fibre line isn’t shared. You’ll often read about leased lines being called Ethernet, but the main terms to look out for are Leased line or Direct Internet Access (DIA).

A broadband connection is typically PON-based – that’s passive optical network, and relates to the way in which ‘splitters’ are used to connect multiple customers to the same fibre. It’s a revolutionary technology when it comes to delivering fibre to multiple homes, where super low cost is the main driver. But for business, it’s ‘best effort’, at best.

It’s cheap to deliver, and so it’s relatively cheap to buy. But it comes with the reality that you cannot rely on it. If the other homes or businesses on your fibre are using the network, then you’ll suffer.

What are the benefits of a leased line?

A dedicated connection means guaranteed bandwidth

With a leased line, you get every bit you pay for, unlike a shared ‘broadband’ connection, where you can pay for 1Gbps but it’s highly unlikely you’ll ever see that speed.

A connection you can rely on

Always the speed you’ve paid for and infrastructure that’s backed up by an SLA (Service Level Agreement) – and automatic compensation if you choose a really good ISP. And the ability to order a back-up line, to increase the resilience of your service.

Lower latency

The more direct architecture and quicker route to a data centre (where your connection hits the internet) means a leased line will almost always offer lower latency than a broadband connection.

Upload that matches download

Most broadband, FTTP and cable services advertise the download speed but keep quiet on upload – that’s because upload is significantly slower in these services, often as little as a tenth of the speed. Leased lines have ‘symmetrical’ download and upload.

Enhanced security

Security can never be taken for granted, so check on the Infosec and compliance qualifications of your provider – typically, those selling residential-grade services won’t invest in this area, but serious business providers recognise the huge benefit to their customers.

A feature comparison

What you get Business Broadband Leased Line
Dedicated connection ❌ Shared ✅ Yes, 1:1
Symmetrical speeds (upload equals download) ❌ No ✅ Yes
Fix-time guarantee ❌ Often just a promise to investigate ✅ Fix-time SLA + compensation
Security level ❌ Basic/add-ons ✅ Business-grade options
Scalability ❌ Limited ✅ Easily scalable
Performance during peak hours ❌ Often poor ✅ Unaffected
Cloud and video performance ❌ Risk of lag / buffering ✅ Reliable
Monthly cost ✅ Lower ❌ Higher
Ideal for... Solo users/very small teams Teams that rely on fast connectivity, global collaboration and cloud tools
Company news
July 21, 2025
Vorboss expands managed service and cybersecurity offerings, closes three strategic acquisitions
Read More

London, 17 July 2025

Vorboss, London’s leading fibre network built exclusively for business, today announced the expansion of its managed services portfolio, reinforcing its position as the trusted single provider for the city’s enterprise connectivity needs. This strategic move reflects the growing demand for comprehensive, resilient services from a single, expert partner – particularly in light of the increasing complexity of cybersecurity threats and IT infrastructure.

  • London businesses can now consolidate connectivity, managed services, and cybersecurity, backed by the fastest fibre network built exclusively for businesses
  • Completed acquisitions of 40fi (cybersecurity) and Optimity (managed services), and strategic investment in Layer8 (network management for commercial real estate)
  • 80+ new specialists join Vorboss, expanding total workforce to nearly 400

As part of this strategy, Vorboss has closed three acquisitions designed to broaden its capabilities beyond its core strength in managed network infrastructure. Among these are 40fi, a respected cybersecurity business, and Optimity, a leading provider of managed IT services. Together, these acquisitions bring an additional 80 experienced professionals into the Vorboss team, significantly enhancing the company’s ability to deliver end-to-end solutions for London’s most demanding businesses. Vorboss is excited to welcome the hundreds of customers that Optimity and 40fi serve across the UK today, and look forward to continuing the high levels of customer service and technical expertise currently provided.

This expansion addresses a clear and urgent need from Vorboss customers: the ability to consolidate connectivity, IT, and security under one accountable provider. By integrating cybersecurity expertise and managed IT services capabilities into its offering, Vorboss is now uniquely positioned to provide a comprehensive suite of services – spanning secure network infrastructure, endpoint management, threat mitigation, and strategic IT and cybersecurity consultancy.  

Tim Creswick, CEO of Vorboss:

“Vorboss has a long history in managed services, but for the last 6 years, our focus has been on delivering the best enterprise fibre network London has ever seen. That has been a huge project, commanding millions of hours of labour from our team, and we are now connecting thousands of business customers to that network – all at 10Gbps and above. I’m excited that we’re now able to return to some of our managed services roots, with the timely addition of cybersecurity services. These are things that our customers and partners ask us about all the time. As operators of extensive, high-capacity infrastructure, we have a huge amount of real expertise in-house already, so customers know that they’re getting advice from real practitioners, not just consultants.

The addition of the Optimity and 40fi teams gives us some immediate scale to address those customer needs, with the same vertically integrated, high quality approach that they’ve come to love from us”.  

In addition, Vorboss has also invested in Layer8, a first-of-a-kind software platform enabling building operators to automate, manage, and monetise their networks. Designed for commercial real estate environments, Layer8 gives building managers, managed service providers (MSPs), and non-technical users simple, secure control over on-site network infrastructure.

Vorboss Limited is registered in England and Wales at: 10 Exchange Square, London, United Kingdom, EC2A 2BR Company number: 05678571

©2025 Vorboss, All rights reserved

Cookies PolicyPrivacy PolicyVorboss Trust Centre
About
Buy differentCareersAcademyNewsLocations
Customers
BusinessEnterpriseCommercial Real Estate
Partners
Products
10G100GOur Products
Contact us
Call us:
+44 (0) 20 3582 8500
Email us:
hello@vorboss.com

10 Exchange Square, London,
EC2A 2BR

Complaints Policy

Certification no. C2023-03244


ISO 9001:2015
Quality Management System
Certification no. C2023-02886


ISO 45001:2018
Health and Safety Management System
Certification no. C2023-03242


ISO/IEC 27001:2022
Information Security Management System
Certification nos. 23012EMS001, 23012BCM001

ISO 14001:2015, ISO 22301:2019
Business Continuity Management System