Scattered Spider Returns: AI-Powered Vishing and Azure AD Hijacking Now Target Saudi Financial Institutions

Scattered Spider — the loosely affiliated English-speaking collective that crippled MGM Resorts in 72 hours and extracted $115 million from 47 companies — has resurfaced after a brief "retirement" and made a deliberate pivot: Saudi Arabia's SAMA-regulated financial sector is now squarely in its crosshairs. New attack campaigns documented by ReliaQuest and CrowdStrike in April 2026 reveal a significantly upgraded playbook that weaponises AI-generated voice calls, Azure AD federation backdoors, and Salesforce credential harvesting to defeat controls that most financial institutions believe are robust.

From Casinos to Core Banking: Why Financial Services Became the Primary Target

Scattered Spider (also tracked as UNC3944, Octo Tempest, and Storm-0875) spent 2022–2024 dismantling telecom providers, insurers, and hospitality companies. The group's arrest of several members in late 2024 was widely reported as the end of its threat. That assessment was wrong. By Q1 2026, researchers at ReliaQuest documented a fresh wave of intrusions targeting financial services firms, with attackers registering a coordinated set of ticket-themed phishing domains and Salesforce credential-harvesting pages mimicking tier-1 banking portals. The calculus for targeting banks is straightforward: higher wire-transfer authority, richer data for follow-on fraud, and third-party payment processor relationships that amplify reach far beyond the initial victim.

The New Technical Playbook: Three Layers That Bypass Conventional Controls

What makes the 2026 iteration of Scattered Spider genuinely dangerous is its systematic disassembly of identity controls that security teams have spent years building. The group now operates across three coordinated layers. First, AI-powered vishing: using platforms such as Bland AI and Vapi, attackers automate high-volume, real-time-responsive phone calls that impersonate IT helpdesk staff. The AI adapts dynamically to the victim's answers, successfully passing knowledge-based authentication checks by weaponising leaked PII — including national ID numbers, dates of birth, and employee IDs purchased from Initial Access Brokers (IABs). Second, Azure AD / Entra ID federation backdoor: once an executive's password is reset via Self-Service Password Reset (SSPR), attackers inject a rogue federated identity provider into the tenant. This creates a persistent, backdoor authentication path invisible to most SIEM rules because it appears as a legitimate federation event rather than a brute-force login. Third, Okta and Salesforce phishing overlays: lookalike domains built on commodity phishing kits with pixel-perfect Okta theming capture session tokens, defeating TOTP-based MFA entirely. Exfiltration then follows VPN tunnels routed through Mullvad to frustrate geo-based detection.

The Impact on Saudi Financial Institutions Under SAMA Supervision

Saudi banks, insurance companies, and payment processors operating under SAMA's Cyber Security Framework (SAMA CSCC) face a specific gap that Scattered Spider exploits with precision. SAMA CSCC Control 3.3.5 mandates robust identity and access management, yet most implementations focus on technical MFA enforcement without hardening the human-facing helpdesk layer — exactly where Scattered Spider enters. SAMA CSCC Control 3.3.6 on privileged access management is equally relevant: Azure AD federation backdoors grant attacker-controlled identities privileges equivalent to a global administrator, bypassing PAM tooling entirely. The NCA ECC framework (specifically ECC-1-5-2 on access control and ECC-1-5-4 on user authentication) carries the same exposure. Critically, PDPL obligations mean that a successful intrusion resulting in customer PII exfiltration triggers mandatory notification to the Saudi Data and AI Authority (SDAIA) within 72 hours — an operational burden that compounds the technical breach.

What Saudi CISOs and Compliance Officers Must Do Now

1. Audit SSPR and Helpdesk Verification Procedures: Eliminate knowledge-based authentication for password resets immediately. Replace with hardware token confirmation or out-of-band manager approval for any privileged account. Scattered Spider's AI callers can answer any KBA question if they have access to a leaked HR database.
2. Enumerate and Restrict Federated Identity Providers in Azure AD/Entra ID: Run Get-MgDomainFederationConfiguration and audit every registered federation trust. Any unexpected or unrecognised identity provider should be treated as a compromise indicator. Enable Conditional Access policies that block authentication from unmanaged identity providers.
3. Deploy Phishing-Resistant MFA Across All Tier-1 Systems: Migrate critical banking applications from TOTP to FIDO2 hardware keys or passkeys. Session-token theft nullifies app-based OTP — only hardware-bound credentials provide meaningful resistance.
4. Monitor for Ticket-Themed Lookalike Domains: Scattered Spider registers phishing infrastructure 24–72 hours before a campaign. Integrate automated domain monitoring (e.g., via dnstwist or commercial threat intelligence feeds) into your SOC runbooks and configure alerting for newly registered domains mimicking your brand, Okta portals, or Salesforce login pages.
5. Red-Team Your Helpdesk with AI Vishing Simulations: Commission a vishing assessment that uses AI voice tooling against your actual helpdesk staff under realistic conditions. Most financial institutions discover a 30–60% success rate on first attempt — a figure that will appear in a SAMA examination report if not self-identified first.
6. Review Third-Party Access to Azure AD: Scattered Spider frequently enters through managed service providers (MSPs) and IT outsourcers with delegated access. Enumerate all service principals with Directory.ReadWrite.All or Application.ReadWrite.All permissions and apply least-privilege immediately.

Conclusion

Scattered Spider's 2026 comeback is not a technical evolution — it is an operational maturation. The group has industrialised social engineering by embedding AI, automated its lateral movement via cloud identity abuse, and deliberately targeted financial institutions where the blast radius of a successful compromise is measured in billions, not millions. The SAMA CSCC and NCA ECC frameworks provide a clear compliance map, but mapping is not hardening. The organisations that survive Scattered Spider are those that have made helpdesk security, Azure AD hygiene, and phishing-resistant MFA operational priorities — not checkbox items on a compliance spreadsheet.

Is your organisation prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a targeted identity security review that covers Azure AD federation risks and helpdesk social engineering resilience.