T1078
Initial Access
Valid Accounts
Valid account abuse should be monitored with identity risk signals, first-seen devices, and unusual MFA activity.
Loading ThreatScope content
Scattered Spider is represented as a financially motivated intrusion cluster with emphasis on identity abuse, social engineering risk, and enterprise access monitoring.
Motivation and analyst context
Scattered Spider is represented as a financially motivated intrusion cluster with emphasis on identity abuse, social engineering risk, and enterprise access monitoring.
Sectors and regions in this local profile
Mapped behavior for defensive monitoring
Valid account abuse should be monitored with identity risk signals, first-seen devices, and unusual MFA activity.
MFA fatigue patterns are represented defensively. Review unusual MFA prompts, help desk events, and conditional access changes.
Remote service use should be compared against normal administrator behavior and approved access windows.
Families and tooling names for defensive awareness
Represents legitimate tools that require monitoring when used outside approved context.
Grouped label for defensive awareness, without implementation or operational detail.
Safe, defanged, or documentation-range indicators
| Type | Value | Confidence | Note | Action |
|---|---|---|---|---|
Domain | identity-support[.]example | Medium | Defanged example domain for identity-themed mock reporting. | |
Email | security-review@example.invalid | Low | Reserved example email address for safe display. | |
IP | 203.0.113.120 | Low | Documentation-range IP address used as mock infrastructure. |
Recent campaign activity from local mock data
Mock campaign note covering unusual help desk changes, MFA reset events, and first-seen device access.
Analyst scenario focused on remote access anomalies and privileged SaaS sessions.
Safe SOC analyst guidance for monitoring and triage