In just two weeks, three of the UK’s best-known retailers Marks & Spencer, Co-op and Harrods have each confirmed serious cyber incidents. The UK’s National Cyber Security Centre (NCSC) has called these events a “wake-up call,” warning that every organisation should examine its readiness to detect, respond to and recover from an attack.
These aren’t isolated IT issues. They are targeted, coordinated campaigns disrupting core business operations, from payments and logistics to customer data and digital identities.
What Happened? A Quick Recap
- Marks & Spencer suffered a ransomware breach that disrupted contactless payments, Click & Collect services and online ordering. The attackers deployed DragonForce ransomware, compromising the company’s virtual server infrastructure.
- Co-op initially described its incident as a contained intrusion. However, it has been confirmed that the theft of customer data and internal messages suggests a deeper compromise. Attackers reportedly infiltrated Microsoft Teams, impersonating executives to deliver extortion messages directly to staff.
- Harrods detected an attempted breach and took pre-emptive action by restricting internet access across its estate. No data breach has been confirmed, but the investigation is ongoing.
All three incidents are linked to a group known as Scattered Spider (also referred to as Octo Tempest by Microsoft - source)—cybercriminals who specialise in identity-based compromise, helpdesk impersonation and social engineering.
Why It Matters: The New Ransomware Playbook
This new generation of attackers doesn’t break down doors—they log in through the front. They:
- Steal credentials using phishing and SIM swapping
- Hijack cloud identities and reset passwords via social engineering
- Infiltrate tools like Microsoft Teams to exploit trust and demand ransoms
These tactics are supercharged through Ransomware-as-a-Service (RaaS) platforms like DragonForce, which makes it easier for even low-skill actors to launch high-impact attacks.
As the NCSC warns, this threat model is not just more effective—it’s more widespread, less predictable and increasingly business-critical.
What Business Leaders Need To Learn. Now.
To help executive teams act decisively, Dominic List, CEO of CyberOne, offers 5 critical lessons drawn from frontline response work across the retail and mid-market sectors.
1. Your Supply Chain Is Now Part of Your Security Perimeter
Many breaches begin not within your systems but through third-party vendors—from IT service providers and cloud platforms to logistics partners. If they’re compromised, your business could be next.
Action Points:
- Audit supplier access regularly and revoke dormant accounts.
- Ensure critical vendors meet basic security standards (Cyber Essentials, ISO 27001)
- Introduce tiered access and segmentation for partner systems
2. Retail Infrastructure Must Be Isolated and Monitored
EPOS platforms, inventory systems and payment processing tools are business-critical, but they are often unpatched, outdated or poorly segmented, making them ideal entry points that also means they are high value targets for attackers making them hard to get to.
Action Points:
- Segment retail and back-office systems on the network (your guest WiFi shouldn't touch your POS system)
- Apply software patches and firmware updates as a priority
- Flag anomalies such as off-hours access or foreign IPs
-
Use Microsoft Sentinel and Defender XDR for real-time protection threat intelligence
3. 24x7 Threat Detection Isn’t Optional. It’s Essential.
Ransomware actors don’t stick to business hours. You always need visibility across your environment to detect and respond before damage is done.
Action Points:
- Deploy Managed Extended Detection and Response (MXDR) to monitor and contain threats continuously.
- Use Microsoft Sentinel and Defender XDR for real-time threat intelligence
- MXDR is also a cost-effective alternative to building an in-house SOC—especially for mid-sized organisations
- Automate threat response playbooks for rapid containment
4. If You’ve Never Simulated a Breach. You’re Not Ready.
Plans on paper don’t prevent breaches. The only way to determine if your teams are ready is to conduct a live breach or a realistic tabletop cyber incident exercise (CIE).
Action Points:
- Run ransomware simulations that involve executives, IT, legal and communications
- Include real-world scenarios: cloud compromise, Teams infiltration and vendor breach
- Ensure you have an Incident Response contract in place with an NCSC-accredited provider experienced in both response and recovery
5. Your People Are the First and Final Line of Defence
The most sophisticated attacks still rely on human error. Attackers exploit familiarity and urgency to bypass controls, whether it’s a phishing link, fake IT request, or Teams message.
Action Points:
- Train staff to recognise social engineering tactics
- Reinforce “pause and verify” protocols for access requests and password resets.
- Run simulated phishing campaigns and incident reporting drills.
6. Most Attacks Start with a Login, Not a Break-In
Today’s attackers aren’t forcing their way in—they’re logging in. Groups like Scattered Spider rely on phishing, MFA fatigue and impersonating support teams to get legitimate access to company accounts. Once inside, they move quickly across systems, often unnoticed until damage is done.
Action Points:
- Make Multi-Factor Authentication (MFA) mandatory for all systems, especially admin accounts and remote access.
- Use tools like Microsoft Entra ID Protection to flag suspicious logins
- Tighten password reset procedures—helpdesk staff should always verify identity, especially for high-privilege users
- Invest in Identity as a Service for 24x7 continuous threat monitor and management.
What You Need to Know About These Threats
Scattered Spider (Octo Tempest)
The English-speaking cybercriminals linked to the breaches are also attributed to high-profile breaches at MGM Resorts, Caesars Entertainment, Reddit and several UK retailers.
Known for their expertise in social engineering, helpdesk impersonation and account takeover, Scattered Spider operates more like a method than a fixed group, making it especially hard for them to track and stop.
DragonForce
The Ransomware-as-a-Service used by Scattered Spider provides encryption tools, extortion sites and affiliate support. DragonForce was behind both the M&S and Co-op attacks.
What is Ransomware-as-a-Service (RaaS)?
A cybercrime model where tools are rented out to “affiliates” who conduct attacks. The service provider takes a cut of any ransom paid. It’s scalable, profitable and increasingly common.
Spotting Microsoft Teams Extortion Attempts
In the Co-op breach, attackers infiltrated Teams to extort staff directly. They impersonated executives and shared stolen data.
Tips for Employees:
- Always verify new meeting attendees, especially unknown internal accounts
- Turn on cameras during sensitive discussions
- Avoid posting customer data or passwords in the chat
- If unsure, check with IT or security before engaging further
Final Thought: Resilience Is the Only Way Forward
This wave of attacks isn’t about files, it’s about business continuity. And while retailers are on the front line now, the tactics used apply to any organisation.
If you're unsure whether your business could withstand a modern identity-driven ransomware attack, this is the time to act. Not react.
Need to Strengthen Your Cyber Resilience?
CyberOne supports retail and mid-market leaders with 24x7 threat detection, identity protection and NCSC-accredited Cyber Incident Response.
If you’re facing specific challenges—or simply want to understand what practical steps you can take, we’re offering a complimentary 30-minute cyber consultation with one of our security specialists.