Hardened Identity Management · Deep dive 03

Access sprawl is the thing that gets reset against you

Scattered Spider turns one help-desk reset into domain compromise. Scheduled access reviews are the hygiene that limits what any single account can reach.

Draft outline · Governance / lifecycle lens
The anchor

The updated CISA advisory on Scattered Spider (AA23-320A, July 2025) details help-desk social engineering, MFA-reset abuse and the access sprawl that lets a single reset become domain-wide compromise; the 2025 M&S and Co-op attacks were the public face of it. Access reviews are the unglamorous governance control that shrinks what a compromised account can touch.

Sources we build on
Primary

Government advisory on the group's help-desk and identity TTPs and mitigations.

Journalism
TechCrunch / WIRED on the 2025 retail attacks

Independent reporting on the M&S and Co-op incidents that made this tangible.

Article outline
  1. The reset that ends badly. How one social-engineered reset cascades.
  2. Why sprawl is the enabler. Over-broad, stale and orphaned access.
  3. Access reviews in Entra. Scheduling recertification for privileged roles and groups.
  4. Joiner-mover-leaver. The lifecycle hygiene that stops sprawl accumulating.
  5. Evidence for the assessor. Reviews as auditable governance.
How it aligns to what we do

A governance and lifecycle piece rather than a threat piece. It shows identity hardening is ongoing hygiene we operate, and it grounds an unglamorous control in a headline event to make the reader care.

Points to hit
Control it ratifies
ISM / E8 E8 Restrict administrative privileges; ISM access-control and personnel-lifecycle guidelines. Reviews limit the reach of any single compromised or reset account.