The cybercrime group known as Scattered Spider has begun targeting airlines and hospitality firms using new tools and tactics, according to Microsoft’s latest threat intelligence update.

Active since at least 2022 and also tracked as Octo Tempest, the group is known for impersonating employees to trick help desks into resetting passwords. But recent attacks show the threat actor expanding its playbook with SMS-based phishing, adversary-in-the-middle techniques, and deployment of DragonForce ransomware.

“Recent activity shows Octo Tempest has deployed DragonForce ransomware with a particular focus on VMware ESX hypervisor environments,” Microsoft said in a blog post. The group has also shifted its strategy from exploiting cloud credentials first to breaching on-premises environments before moving to cloud infrastructure.

Scattered Spider has already been linked to high-profile incidents involving major U.S. and U.K. retailers, but Microsoft researchers say the group is now actively hitting insurers, airlines, and food service companies. Their hybrid approach combines social engineering with the use of tools like ngrok and AADInternals to maintain long-term access.

Microsoft said the group often contacts support desks “through phone calls, emails, and messages,” and that phishing messages are crafted to bypass standard detection by mimicking legitimate organizations.

Microsoft Defender now includes coverage for these updated tactics, with detections across endpoints, cloud workloads, and identity platforms. The company has also rolled out automatic attack disruption features that can “disable the user account used by Octo Tempest and revoke all existing active sessions.”

Security teams are encouraged to harden defenses using Microsoft’s Exposure Management tools. “The Octo Tempest Threat Initiative brings these mitigations together into a focused program,” the company said, adding that the initiative maps real-world attacker behaviors to proactive defenses.

Microsoft has also urged organizations to turn on phishing-resistant multifactor authentication, limit excessive cloud permissions, and block credential theft using tamper protection and Defender Credential Guard.

The group, also known as Muddled Libra and UNC3944, remains a top concern due to its rapid adaptation and ability to pivot across industries.