{ "id": "c4ca4582-6324-4149-bfa1-5c9a4a76699a", "created_at": "2026-04-06T00:10:31.638168Z", "updated_at": "2026-04-10T03:31:49.96666Z", "deleted_at": null, "sha1_hash": "acfc70d3f7d91a114269addfc121c5502d48c8c3", "title": "Protecting customers from Octo Tempest attacks across multiple industries | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 250623, "plain_text": "Protecting customers from Octo Tempest attacks across multiple\r\nindustries | Microsoft Security Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2025-07-16 · Archived: 2026-04-05 13:38:15 UTC\r\nIn recent weeks, Microsoft has observed Octo Tempest, also known as Scattered Spider, impacting the airlines\r\nsector, following previous activity impacting retail, food services, hospitality organizations, and insurance\r\nbetween April and July 2025. This aligns with Octo Tempest’s typical patterns of concentrating on one industry\r\nfor several weeks or months before moving on to new targets. Microsoft Security products continue to update\r\nprotection coverage as these shifts occur. \r\nTo help protect and inform customers, this blog highlights the protection coverage across the Microsoft Defender\r\nand Microsoft Sentinel security ecosystem and provides security posture hardening recommendations to protect\r\nagainst threat actors like Octo Tempest.\r\nOverview of Octo Tempest \r\nOcto Tempest, also known in the industry as Scattered Spider, Muddled Libra, UNC3944, or 0ktapus, is a\r\nfinancially motivated cybercriminal group that has been observed impacting organizations using varying methods\r\nin their end-to-end attacks. Their approach includes: \r\nGaining initial access using social engineering attacks and impersonating a user and contacting service\r\ndesk support through phone calls, emails, and messages.\r\nShort Message Service (SMS)-based phishing using adversary-in-the-middle (AiTM) domains that mimic\r\nlegitimate organizations.\r\nUsing tools such as ngrok, Chisel, and AADInternals.\r\nImpacting hybrid identity infrastructures and exfiltrating data to support extortion or ransomware\r\noperations.  \r\nRecent activity shows Octo Tempest has deployed DragonForce ransomware with a particular focus on VMWare\r\nESX hypervisor environments. In contrast to previous patterns where Octo Tempest used cloud identity privileges\r\nfor on-premises access, recent activities have involved impacting both on-premises accounts and infrastructure at\r\nthe initial stage of an intrusion before transitioning to cloud access. \r\nOcto Tempest detection coverage \r\nMicrosoft Defender has a wide range of detections to detect Octo Tempest related activities and more. These\r\ndetections span across all areas of the security portfolio including endpoints, identities, software as a service\r\n(SaaS) apps, email and collaboration tools, cloud workloads, and more to provide comprehensive protection\r\ncoverage. Shown below is a list of known Octo Tempest tactics, techniques, and procedures (TTPs) observed in\r\nrecent attack chains mapped to detection coverage.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/16/protecting-customers-from-octo-tempest-attacks-across-multiple-industries/\r\nPage 1 of 7\n\nTactic  Technique \r\nMicrosoft Protection\r\nCoverage (non-exhaustive) \r\nInitial Access \r\nInitiating password reset on\r\ntarget’s credentials \r\nUnusual user password reset\r\nin your virtual machine;\r\n(MDC) \r\nDiscovery \r\nContinuing environmental\r\nreconnaissance \r\nSuspicious credential dump\r\nfrom NTDS.dit; (MDE)\r\nAccount enumeration\r\nreconnaissance; (MDI)\r\nNetwork-mapping\r\nreconnaissance (DNS); (MDI)\r\nUser and IP address\r\nreconnaissance (SMB); (MDI)\r\nUser and Group membership\r\nreconnaissance (SAMR);\r\n(MDI)\r\nActive Directory attributes\r\nreconnaissance (LDAP);\r\n(MDI) \r\nCredential\r\nAccess,  Lateral\r\nMovement \r\nIdentifying Tier-0 assets \r\nMimikatz credential theft tool;\r\n(MDE)\r\nADExplorer collecting Active\r\nDirectory information; (MDE)\r\nSecurity principal\r\nreconnaissance (LDAP);\r\n(MDI)\r\nSuspicious Azure role\r\nassignment detected; (MDC)\r\nSuspicious elevate access\r\noperation; (MDC)\r\nSuspicious domain added to\r\nMicrosoft Entra ID; (MDA)\r\nSuspicious domain trust\r\nmodification following risky\r\nsign-in; (MDA) \r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/16/protecting-customers-from-octo-tempest-attacks-across-multiple-industries/\r\nPage 2 of 7\n\nCollecting additional\r\ncredentials \r\nSuspected DCSync attack\r\n(replication of directory\r\nservices); (MDI)\r\nSuspected AD FS DKM key\r\nread; (MDI) \r\nAccessing enterprise\r\nenvironments with VPN and\r\ndeploying VMs with tools to\r\nmaintain access in\r\ncompromised environments \r\n‘Ngrok’ hacktool was\r\nprevented; (MDE)\r\n‘Chisel’ hacktool was\r\nprevented; (MDE)\r\nPossibly malicious use of\r\nproxy or tunneling tool;\r\n(MDE)\r\nPossible Octo Tempest-related device registered\r\n(MDA) \r\nDefense\r\nEvasion, Persistence \r\nLeveraging EDR and\r\nmanagement tooling \r\nTampering activity typical to\r\nransomware attacks; (MDE) \r\nPersistence, Execution  Installing a trusted backdoor \r\nADFS persistent backdoor;\r\n(MDE) \r\nActions on Objectives \r\nStaging and exfiltrating stolen\r\ndata \r\nPossible exfiltration of\r\narchived data; (MDE)\r\nData exfiltration over SMB;\r\n(MDI) \r\nDeploying ransomware \r\n‘DragonForce’ ransomware\r\nwas prevented; (MDE)\r\nPossible hands-on-keyboard\r\npre-ransom activity; (MDE) \r\nNote: The list is not exhaustive. A full list of available detections can be found in the Microsoft\r\nDefender portal. \r\nDisrupting Octo Tempest attacks  \r\nDisrupt in-progress attacks with automatic attack disruption:\r\nAttack disruption is Microsoft Defender’s unique, built-in self-defense capability that consumes multi-domain\r\nsignals, the latest threat intelligence, and AI-powered machine learning models to automatically predict and\r\ndisrupt an attacker’s next move by containing the compromised asset (user, device). This technology uses multiple\r\npotential indicators and behaviors, including all the detections listed above, possible Microsoft Entra ID sign-in\r\nattempts, possible Octo Tempest-related sign-in activities and correlate them across the Microsoft Defender\r\nworkloads into a high-fidelity incident. \r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/16/protecting-customers-from-octo-tempest-attacks-across-multiple-industries/\r\nPage 3 of 7\n\nBased on previous learnings from popular Octo Tempest techniques, attack disruption will automatically disable\r\nthe user account used by Octo Tempest and revokes all existing active sessions by the compromised user. \r\nWhile attack disruption can contain the attack by cutting off the attacker, it is critical for security operations center\r\n(SOC) teams to conduct incident response activities and post-incident analysis to help ensure the threat is fully\r\ncontained and remediated.  \r\nInvestigate and hunt for Octo Tempest related activity:\r\nOcto Tempest is infamously known for aggressive social engineering tactics, often impacting individuals with\r\nspecific permissions to gain legitimate access and move laterally through networks. To help organizations identify\r\nthese activities, customers can use Microsoft Defender’s advanced hunting capability to proactively investigate\r\nand respond to threats across their environment. Analysts can query across both first- and third-party data sources\r\npowered by Microsoft Defender XDR and Microsoft Sentinel. In addition to these tables, analysts can also use\r\nexposure insights from Microsoft Security Exposure Management.  \r\nUsing advanced hunting and the Exposure Graph, defenders can proactively assess and hunt for the threat actor’s\r\nrelated activity and identify which users are most likely to be targeted and what will be the effect of a\r\ncompromise, strengthening defenses before an attack occurs.  \r\nProactive defense against Octo Tempest \r\nMicrosoft Security Exposure Management, available in the Microsoft Defender portal, equips security teams with\r\ncapabilities such as critical asset protection, threat actor initiatives, and attack path analysis that enable security\r\nteams to proactively reduce exposure and mitigate the impact of Octo Tempest’s hybrid attack tactics.\r\nEnsure critical assets stay protected \r\nCustomers should ensure critical assets are classified as critical in the Microsoft Defender portal to generate\r\nrelevant attack paths and recommendations in initiatives. Microsoft Defender automatically identifies critical\r\ndevices in your environment, but teams should also create custom rules and expand critical asset identifiers to\r\nenhance protection.  \r\nTake action to minimize impact with initiatives \r\nExposure Management’s initiatives feature provides goal-driven programs that unify key insights to help teams\r\nharden defenses and act fast on real threats. To address the most pressing risks related to Octo Tempest, we\r\nrecommend organizations begin with the initiatives below: \r\nOcto Tempest Threat Initiative: Octo Tempest is known for tactics like extracting credentials from Local\r\nSecurity Authority Subsystem Service (LSASS) using tools like Mimikatz and signing in from attacker-controlled IPs—both of which can be mitigated through controls like attack surface reduction (ASR) rules\r\nand sign-in policies. This initiative brings these mitigations together into a focused program, mapping real-world attacker behaviors to actionable controls that help reduce exposure and disrupt attack paths before\r\nthey escalate.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/16/protecting-customers-from-octo-tempest-attacks-across-multiple-industries/\r\nPage 4 of 7\n\nRansomware Initiative: A broader initiative focused on reducing exposure to extortion-driven attacks\r\nthrough hardening identity, endpoint, and infrastructure layers. This will provide recommendations tailored\r\nfor your organization.  \r\nInvestigate on-premises and hybrid attack paths\r\nSecurity teams can use attack path analysis to trace cross-domain threats—like those used by Octo Tempest—\r\nwho’ve exploited the critical Entra Connect server to pivot into cloud workloads, escalate privileges, and expand\r\ntheir reach. Teams can use the ‘Chokepoint’ view in the attack path dashboard to highlight entities appearing in\r\nmultiple paths, making it easy to filter for helpdesk-linked accounts, a known Octo target, and prioritize their\r\nremediation.  \r\nGiven Octo Tempest’s hybrid attack strategy, a representative attack path may look like this: \r\nRecommendations \r\nIn today’s threat landscape, proactive security is essential. By following security best practices, you reduce the\r\nattack surface and limit the potential impact of adversaries like Octo Tempest. Microsoft recommends\r\nimplementing the following to help strengthen your overall posture and stay ahead of threats: \r\nIdentity security recommendations \r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/16/protecting-customers-from-octo-tempest-attacks-across-multiple-industries/\r\nPage 5 of 7\n\nEnsure multifactor authentication is enabled for all users: Adding more authentication methods, such as the\r\nMicrosoft Authenticator app or a phone number, increases the level of protection if one factor is\r\ncompromised.\r\nEnable Microsoft Entra ID Identity Protection sign-in risk policies: Turning on the sign-in risk policy\r\nensures that suspicious sign-ins are challenged for.\r\nEnsure phishing-resistant multifactor authentication strength is required for Administrators.\r\nEnsure Microsoft Azure overprovisioned identities should have only the necessary permissions.\r\nEnable Microsoft Entra Privileged Identity Management as well as other protective measures to mitigate\r\nthe risk of unnecessary or unauthorized access.\r\nEndpoint security recommendations \r\nEnable Microsoft Defender Antivirus cloud-delivered protection for Linux.\r\nTurn on Microsoft Defender Antivirus real-time protection for Linux.\r\nEnable Microsoft Defender for Endpoint EDR in block mode to block post breach malicious behavior on\r\nthe device through behavior blocking and containment capabilities.\r\nTurn on tamper protection that essentially prevents\r\nMicrosoft Defender for Endpoint (your security settings) from being modified.\r\nBlock credential stealing from the Windows local security authority subsystem: Attack surface reduction\r\n(ASR) rules are the most effective method for blocking the most common attack techniques being used in\r\ncyber-attacks and malicious software.\r\nTurn on Microsoft Defender Credential Guard\r\nto isolate secrets so that only privileged system software can access them.\r\nCloud security recommendations \r\nKey Vaults should have purge protection enabled to prevent immediate, irreversible deletion of vaults and\r\nsecrets.\r\nTo reduce risks of overly permissive inbound rules on virtual machines’ management ports, enable just-in-time (JIT) network access control. \r\nMicrosoft Defender for Cloud recommends encrypting data with customer-managed keys (CMK) to\r\nsupport strict compliance or regulatory requirements. To reduce risk and increase control, enable CMK to\r\nmanage your own encryption keys through Microsoft Azure Key Vault.\r\nEnable logs in Azure Key Vault and retain them for up to a year. This enables you to recreate activity trails\r\nfor investigation purposes when a security incident occurs or your network is compromised.\r\nMicrosoft Azure Backup should be enabled for virtual machines to protect the data on your Microsoft\r\nAzure virtual machines, and to create recovery points that are stored in geo-redundant recovery vaults.\r\nExplore security solutions\r\nTo learn more about Microsoft Security solutions, visit our website. Bookmark the Microsoft Security blog to keep\r\nup with our expert coverage on security matters.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/16/protecting-customers-from-octo-tempest-attacks-across-multiple-industries/\r\nPage 6 of 7\n\nAlso, follow us on Microsoft Security LinkedIn and @MSFTSecurity on X for the latest news and updates on\r\ncybersecurity. \r\nSource: https://www.microsoft.com/en-us/security/blog/2025/07/16/protecting-customers-from-octo-tempest-attacks-across-multiple-industrie\r\ns/\r\nhttps://www.microsoft.com/en-us/security/blog/2025/07/16/protecting-customers-from-octo-tempest-attacks-across-multiple-industries/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/07/16/protecting-customers-from-octo-tempest-attacks-across-multiple-industries/" ], "report_names": [ "protecting-customers-from-octo-tempest-attacks-across-multiple-industries" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434231, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/acfc70d3f7d91a114269addfc121c5502d48c8c3.pdf", "text": "https://archive.orkl.eu/acfc70d3f7d91a114269addfc121c5502d48c8c3.txt", "img": "https://archive.orkl.eu/acfc70d3f7d91a114269addfc121c5502d48c8c3.jpg" } }