.jpg)
Highlights
Marks & Spencer suffered a major cyberattack by Scattered Spider, involving credential theft, data exportation, and ransomware. This breach breakdown outlines what happened and what could have helped prevent the attack.
Breach breakdown
In April 2025, Marks & Spencer (M&S) was hit by a serious cyberattack, and not by amateurs. The group behind it, known as Scattered Spider (also known as UNC3944 or Octo Tempest) has a track record. They’ve already taken on major U.S. giants like Caesars Entertainment and MGM Resorts.
Our team has done a deep dive into what happened and, more importantly, how businesses like yours can stay protected.
.png)
How they got in
Scattered Spider used smart, targeted phishing emails and impersonated IT staff to trick people into handing over their credentials. They even used a tactic called "MFA fatigue", which consisted of spamming employees with repeated login requests until one was mistakenly approved.
Threat intelligence researcher, Lontz reported on suspected Scattered Spider infrastructure (see figure 2), involving fake domains designed to mimic legitimate login pages of well-known websites. A spoofed company login page could have been created to get access to M&S employee login details.
.png)
What happened after they got in
Initial access to M&S systems is believed to have been as early as February. Once in, the attackers used stolen administrative credentials to deploy legitimate remote administration tools (RATs). This gave them ongoing control over key systems (including employee devices), helping them stay hidden while moving through the network.
Here's what they did:
- Installed remote desktop access tools like AnyDesk and TeamViewer - the same kind real IT teams would use
- Moved around through different M&S’s internal systems to grab as much data as possible
- Targeted critical assets like password databases and user credentials
Finally, they created secret access points, hidden accounts, and scheduled tasks to make sure they could stay inside the company's network without getting noticed.
The attack
On April 24, Scattered Spider launched the DragonForce ransomware attack on M&S’ VMware ESXi servers, encrypting virtual machines that powered key systems for e-commerce, payment processing, and logistics (see figure 3).
.png)
As a result, M&S had no choice but to shut down key systems entirely (including online orders and contactless payments), and call in top cybersecurity experts from CrowdStrike, Microsoft, and Fenix24 to contain the damage and start the recovery process (see figure 4).
.png)
What this means for you
While M&S is a major player, the tactics used in this breach aren’t just for corporations, they work just as well against small businesses. Groups like Scattered Spider rely on common tools and stolen identities to gain trust and slip past normal security. The key lesson? Always verify the people and systems you rely on, whether they’re inside your team or external partners.
What you can do to improve cybersecurity for your business
5 quick wins to protect your business
- Train your team – teach employees to spot dodgy emails, spoofed links, and sketchy login pages.
- Use strong passwords – create long, complex passwords that include a mix of uppercase and lowercase letters, numbers, and special characters. Never reuse passwords across different accounts.
- Enable multi-factor authentication (MFA) – this adds an extra layer of security beyond just a password.
- Stay vigilent – do not open email attachments or click on links unless you are certain of their legitimacy. If you have any doubts, report the email to your security team immediately.
- Report suspicious activity fast – if you receive unexpected MFA prompts, suspicious login alerts, or calls requesting your credentials, report them to your security team as soon as possible.
Additional information
Tell us about yourself so we can serve you best.
Got a question?
More articles
.jpg)
Generative Pre-trained Transformers (GPTs) like OpenAI's ChatGPT are revolutionising industries across the board. From writing emails to creating educational content, they're powerful tools built to understand and generate human-like text. But the same tech that makes GPTs useful also makes them risky, particularly for cybersecurity.
In February 2024, Microsoft and OpenAI spotted several state-backed hacking groups from Russia, North Korea, Iran, and China using GPTs to improve their exploitation tactics. The Strontium group, linked to Russian military intelligence, has been found using large language models (LLM’s) to understand satellite communication protocols, radar imaging technologies, and other sensitive miliatry information.
But GPTs can also be misused in everyday cybercrime and by employees or contractors who have access to sensitive data.
How GPTs can be weaponised in everyday cybercrime
- Phishing: GPTs can generate convincing phishing emails that mimic real writing styles, making it more difficult to spot and harder for filters to block.
- Social engineering: these models can be used in live chats, like customer support, to trick people into giving up sensitive information. Connected to text-to-speech tools, they could also be used in voice scams.
- Malware code generation: even with filters in place, attackers can trick GPTs into writing malicious code.
- Data leakage: when employees input sensitive company information into these models, that data gets stored and could be leaked back to others.
- Misinformation: GPT’s can 'hallucinate', which means they present false information portrayed as fact. When spread, this can lead to real-world consequences such as political confusion or interference during a crisis.
.png)
How DPG overcame last-minute delays to get online in 3 weeks
Anyone who’s managed an office move understands how much coordination it takes: logistics, tight deadlines, suppliers to manage, all while keeping the day job going. But when your internet provider, a well-known legacy player, lets you down just weeks before your move, things can get really stressful.
Three months to get connected – but the provider stalled
DPG is a specialist social justice law firm. With a team of 80, they rely on secure, fast connectivity to manage sensitive legal work.
They gave their internet provider three months’ notice to install a leased line at their new office. But as the move-in date approached, the provider asked for a further 60-day extension.
With just six weeks left to go before staff were due to move in, DPG had no choice but to cancel their contract and find a new supplier.
.jpg)
.jpg)
