Scattered Spider turns one help-desk reset into domain compromise. Scheduled access reviews are the hygiene that limits what any single account can reach.
Draft outline · Governance / lifecycle lensThe updated CISA advisory on Scattered Spider (AA23-320A, July 2025) details help-desk social engineering, MFA-reset abuse and the access sprawl that lets a single reset become domain-wide compromise; the 2025 M&S and Co-op attacks were the public face of it. Access reviews are the unglamorous governance control that shrinks what a compromised account can touch.
Government advisory on the group's help-desk and identity TTPs and mitigations.
Independent reporting on the M&S and Co-op incidents that made this tangible.
A governance and lifecycle piece rather than a threat piece. It shows identity hardening is ongoing hygiene we operate, and it grounds an unglamorous control in a headline event to make the reader care.