Many security teams assume Scattered Spider targeted aviation purely for the value of airline data. They are wrong. These attackers do not just target industries. They are targeting operational fragility.
The shift reveals a calculated strategy that most security professionals miss entirely. While organisations focus on traditional sector-based threat models, Scattered Spider weaponises business continuity risk.
The Operational Fragility
Scattered Spider has demonstrated a pattern of targeting sectors where operational downtime incurs significant costs and continuity planning and recovery are weak. Their playbook exploits urgency and complexity in sectors with fragmented systems, third-party dependencies, high customer service demands and intense pressure to resume operations quickly.
Their recent focus on the insurance industry underscores this strategy. Companies in the US, such as Aflac, Erie Insurance and Philadelphia Insurance Companies, have reported breaches linked to Scattered Spider’s tactics (Insurance Journal, 2025).
These attacks often exploit identity-based vulnerabilities, including social engineering methods like impersonating employees to gain unauthorised access.
Aviation fits perfectly. When ground operations stop, flights are grounded immediately. Revenue losses mount by the hour. Scattered Spider’s approach remains consistent.
The breach of WestJet involved a self-service password reset, allowing attackers to register their multi-factor authentication credentials and access the network via Citrix. This method highlights their ability to exploit procedural weaknesses across different industries. (Bleeping Computer, 2025).
Mandiant’s Chief Technology Officer has confirmed that Scattered Spider is actively targeting the aviation industry, indicating a deliberate shift in their focus (Computer Weekly, 2025).
Psychological Warfare in the Boardroom
These attackers understand both boardroom psychology and technical vulnerabilities.
During an active incident, they establish direct communication with crisis teams. They flaunt control over critical systems and threaten public disclosure or extended outages. They tailor ransom demands to daily operating costs. A grounded airline loses millions per day, as the sector experienced during the COVID-19 pandemic.
This psychological pressure is the primary weapon. Executive teams, under enormous pressure to restore service, often find that their incident response plans were not built for this level of disruption.
That gap between theoretical preparedness and operational reality is exactly what Scattered Spider exploits.
They craft professional communications with proofs of access, structured ransom notes and pseudo-customer support for decryption. This makes paying seem like a business decision the board can justify under pressure.
Microsoft Environments Under Attack
The technical attack surface often stems from identity verification processes that organisations leave exposed within their Microsoft environments.
While the underlying platform offers robust security controls, attackers frequently exploit gaps in how organisations configure and manage workflows such as password resets and MFA enrolment. For example, social engineering attacks can trick service desks into resetting credentials or enrolling new MFA devices without sufficient verification.
Strengthening this layer is an important aspect of Privileged Access Management (PAM). Organisations should explicitly harden verification procedures for critical accounts by implementing out-of-band confirmation with known contacts, enforcing manager approvals or establishing pre-validated escalation paths that are resistant to impersonation attempts.
Attackers can also exploit self-service password reset and MFA device enrolment features in Azure AD when these are not properly secured.
For example, suppose organisations allow users to reset passwords or enrol new authentication methods using weak verification, such as relying solely on personal email or SMS. In that case, this creates an easy target for social engineering.
Conditional Access policies and strong authentication methods can enforce tighter controls, but these must be carefully scoped and consistently applied to avoid gaps that attackers can exploit.
Building Operational Resilience
Defence requires moving beyond static compliance checks to realistic failure rehearsals. This does not mean hiring expensive consultants to run multi-day tabletop exercises. It means practising what you do when systems fail.
Pick a critical business process and ask:
- What if it is encrypted right now?
- Who do we call?
- How do we work around it?
- How do we talk to customers?
Even an hour of forcing real answers can reveal planning gaps that no policy document will.
Organisations with true muscle memory do not freeze:
- They communicate immediately and honestly, rehearsing the phrase “We do not know yet” instead of sugarcoating it for the board.
- They prioritise with clarity, knowing exactly which systems must come up first to keep the business operating.
- They handle extortion demands with discipline. Instead of panicking, they calmly work the playbook.
The Identity Control Balance
Implementing stricter identity controls requires striking a balance between security and operational efficiency. It starts by treating identity controls as business enablers, not security mandates.
You cannot bolt on strict verification without considering user experience, or people will find workarounds.
Risk-based flexibility is crucial. Microsoft Conditional Access policies enable different friction levels for various scenarios.
- Low-risk managed devices inside your network can have seamless sign-in with strong device compliance.
- High-risk, off-network privileged changes require stronger verification.
This approach aligns security friction with actual risk rather than relying on blanket policies that frustrate everyone.
The Fundamental Shift Required
The aviation sector underscores this challenge. Research indicates that 55% of civil aviation cyber decision-makers have reported experiencing ransomware attacks within the past 12 months (SITA, 2025).
However, many organisations continue to rely on static, compliance-driven security postures. Groups like Scattered Spider evolve faster than these controls can keep up, studying each target’s operations, suppliers , and personnel to uncover gaps. If security is based only on checklists and rigid threat models, organisations are always fighting the last war.
Staying ahead requires a shift to continuous, threat-informed defence. This involves integrating threat intelligence into operational planning, rehearsing real-world failure scenarios , and rigorously testing assumptions about resilience.
It also requires treating identity not just as a technical control but as an operational security boundary that adapts to changing business needs and attacker tactics. Risk-based flexibility is not optional anymore. It is foundational.
The Monday Morning Question
For CEOs ready to move from static compliance to dynamic risk management, there is one critical first step.
Convene your executive team, including security, IT, operations, legal and communications and ask one brutally honest question:
“If we were hit today and taken offline, what would break and how would we keep running?”
That conversation alone will reveal whether your current security posture is theoretical or operationally grounded. From there, you can prioritise practical investments: realistic failure rehearsals, hardened identity recovery and building the muscle memory to make disciplined decisions under pressure.
The organisations that survive will not be those with the most compliance checkboxes ticked. They will be the ones that adapt fastest when the adversary changes approach. Scattered Spider and similar groups are not just attacking your systems—they are attacking your ability to think clearly under pressure. The question is not whether you will be targeted. It is whether you will be ready to respond with discipline when operational fragility becomes a weapon against you.