Microsoft enhances its built-in attack disruption capabilities.
Microsoft has rolled out a series of enhancements security ecosystem to help its customers guard against the possibility of falling victim to Scattered Spider
According to Computer Weekly, as Scattered Spider ramped up the pace of its activity throughout 2025 and in contrast to previous attack patterns where Scattered Spider exploited cloud identity privileges in order to attain on-premise access, it now appears to be hitting both on-premise accounts and infrastructure during the initial stage of its intrusions, prior to transitioning to cloud access.
To better assist its customers, Microsoft has updated the range of detections available within Defender, enhancing its built-in attack disruption capabilities – which draw on multi-domain signals, new threat intel, and AI-backed machine learning models to try to predict and disrupt a threat actor’s next move.
Microsoft said that based on its learnings from previous Scattered Spider attacks, this will also disable the user account used by the gang and revoke all existing active sessions it has open.
Elsewhere within Defender, Microsoft has upped its advanced hunting capabilities to help organisations identify and ward off the gang’s more aggressive social engineering attacks on privileged individuals, even going so far as to identify who within the organisation is most likely to be targeted before an attack begins.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
