Cybersecurity brief: Scattered Spider, AI, and evolving cyber threats

Cybersecurity
 |  
Jul 2026
 |  
RH-ISAC
Save to favorites
Your item is now saved. It can take a few minutes to sync into your saved list.

Key Takeaways

  • Cybersecurity is the rare domain where direct competitors are explicitly encouraged to collaborate. CISA in the US, ENISA in the EU, the NCSC in the UK and Interpol all promote ISAC-style sharing structures; the parallel drawn by RH-ISAC is aviation safety, a category where no operator competes on how safe its aircraft are. RH-ISAC already holds more than two dozen recordings of Scattered Spider help-desk calls, with phone numbers, IP addresses and scripts, because member companies submitted them.
  • 76% of security budgets are flat or barely growing. The binding constraint on CISOs is no longer money but the speed at which the business is demanding AI. Roughly 3/4 of CISOs expect flat or marginal budget growth, headcount is tilting toward reducing contractors, and the first-ranked constraint is the velocity of AI capabilities being shipped without the security checks that should accompany them. AI also appears for the first time as a defensive solution (fraud detection, threat detection, vulnerability management).
  • The attack surface is human, not technical: Scattered Spider walks through the help desk. The operating script is consistent enough that RH-ISAC now plays the recordings as training material: an operator calls the
    internal IT help desk impersonating a locked-out employee, supplies a callback number when challenged, and the help desk worker completes the reset. Secondary techniques include MFA fatigue and fake internal login pages that exploit the habit of Googling the login URL rather than using a bookmark. The operative skill is conversational, not technical.
  • The mitigation posture : harden the help desk, kill SMS-based MFA, train staff to read the red flags. No remote password or MFA reset without strong verification — companies now require physical presence in a store with a manager who verifies identity in person. Authenticator-app MFA replaces six-digit SMS or email codes, because SIM swapping makes phone-number-based MFA structurally weak. Frontline staff, helpdesk
    agents and store managers are trained to treat unusual signals, a “security sixth sense” across the organisation rather than concentrated in the security function.
  • The economic logic shifted to pure data extortion, with third-parties as the dominant entry point. Corporate backup discipline has improved enough that encrypting systems is no longer a sufficient lever; the
    current pattern increasingly skips the system lock and goes directly to data theft and threat of publication. The Canvas campaign extracted approximately 275 million student records from nearly 9,000 educational institutions through a single vendor — and when victims did not pay, the threat actors began impersonating journalists to pressure leadership.
  • AI is changing the unit economics for the attacker. Voice mimicry, higher-quality phishing emails and visual impersonation are becoming cheaper to produce; the same techniques that make legitimate marketing more effective make criminal impersonation more effective. Air France's partnership with Starlink for in-flight connectivity is now generating cabin-crew training scenarios for cases such as a passenger blackmailed midflight by an AI-generated relative claiming abduction, with fake video sent to the device.

Cybersecurity brief: Scattered Spider, AI, and evolving cyber threats presentation