Cybercriminal group Scattered Spider, tracked by Microsoft as Octo Tempest, has once again evolved its attack playbook, targeting airline companies after months of disrupting other major sectors.

According to a recent update by the Microsoft Defender Security Research Team, Scattered Spider has pivoted its focus to the airline industry after previously hitting retail, food services, hospitality, and insurance sectors between April and July 2025.

“In recent weeks, Microsoft has observed Octo Tempest, also known as Scattered Spider, impacting the airlines sector,” Microsoft’s team stated in a company blog post. “This aligns with Octo Tempest’s typical patterns of concentrating on one industry for several weeks or months before moving on to new targets.”

Scattered Spider is well-known for its aggressive social engineering tactics, often posing as legitimate users to deceive service desk staff into handing over access credentials. Microsoft reports the group is now beginning attacks at a deeper level, targeting on-premises infrastructure first before moving into the cloud, which is a reversal from their previous cloud-first strategy.

“Recent activities have involved impacting both on-premises accounts and infrastructure at the initial stage of an intrusion before transitioning to cloud access,” Microsoft’s team wrote.

The cybercriminals also continue to use SMS phishing — also known as mishing — and adversary-in-the-middle (AiTM) tactics, and have recently been observed deploying DragonForce ransomware, particularly targeting VMware ESX hypervisor environments.

Microsoft’s response: More defense, more disruption

To keep pace, Microsoft has beefed up protections across its Defender and Sentinel platforms.

The company’s built-in attack disruption system now uses AI, machine learning, and signal correlation across cloud and endpoint data to detect suspicious behavior and automatically disable compromised accounts.

“Based on previous learnings from popular Octo Tempest techniques, attack disruption will automatically disable the user account used by Octo Tempest and revokes all existing active sessions by the compromised user,” Microsoft explained.

Microsoft emphasizes that, while automated tools can help block attacks in progress, human-led incident response remains essential for complete containment and recovery. The company is urging SOC teams to conduct thorough investigations into any attempted intrusion.

“In today’s threat landscape, proactive security is essential,” the Microsoft team emphasized, calling for stronger defenses across identity, endpoint, and cloud systems.

