Lessons From Scattered Spider: Defending Against Modern Attacks With Behavioural AI

A UK-based retailer was recently impacted by a ransomware attack linked to Scattered Spider, a well-known cybercriminal group. The incident disrupted contactless payments and took down the retailer’s online shopping capabilities.

Scattered Spider is a classification of threat actors that are adept at using sophisticated social engineering attacks to gain access to large organisations’ networks. They’re willing to go after any and every company that presents an opportunity.

In this case, the entry point wasn’t within the retailer’s environment. Instead, attackers slipped in through the supply chain, exploiting systems most organisations rely on but seldom control. It’s a clear reminder that attacks can come from anywhere, and every external connection is a potential risk.

Most Chief Information Security Officers (CISOs) focus on defending their own infrastructure and internal environments. But in reality, organisations exist within a web of interconnected relationships. In this complex digital environment, your security is only as strong as the weakest link in your supply chain. Every vendor, partner, and third party that touches your business adds another layer of risk.

Yet many organisations don’t even have a complete picture of who those third parties are. Ask the finance team for a definitive list, and you’ll likely get a shrug. The web of relationships is simply too complex and constantly evolving. This lack of visibility is exactly what makes supply chains such a tempting target for attackers like Scattered Spider. If you don’t know who you’re doing business with, how can you detect invoice fraud, vendor email compromise, or impersonation attacks?

Even with supply-chain visibility, today’s attackers rarely leave obvious traces. The most sophisticated threats don’t come with malware attachments or known indicators of compromise. Instead, they slip in quietly, using context, language, and behaviour that looks legitimate.

To address these challenges, Abnormal AI offers a suite of tools to give CISOs a much clearer view of their own supply chain. Abnormal VendorBase™ maps out every organisation you interact with, so you can assess their credibility and security controls before they connect to your business.

It then continuously monitors those relationships, using behavioural AI to understand normal communication patterns and identify abnormalities. So when an email arrives from a known partner, you can be confident it’s genuine and not from an attacker exploiting a vendor account. VendorBase also shares vendor risk info across its network, so if a vendor is compromised anywhere, you’ll be warned and their emails flagged.

Another thing about Scattered Spider (and other modern threat actors): they’re not in a rush. These attackers often spend days or weeks inside an environment before making their move, quietly profiling your systems, collecting credentials, hunting for session tokens, and learning how people communicate.

If you cannot detect and contain this activity quickly, you're leaving your organisation exposed. The longer attackers move unseen, the more likely they are to find something valuable. A single, convincing password reset email—seemingly from a senior leader—can be enough to trick someone into granting access. Yet many security teams either miss these early signals entirely or are so inundated with false positives that real threats slip through unnoticed.

Part of the challenge is that secure email gateways (SEGs) have not changed much in 20 years. Most still rely on static rules, spam filters, and malware detection to spot the ‘known bad’. These tools are no match for attackers who study your environment and use contextually intelligent, trusted-looking messages to slip past defences. Today, you must assume someone will get inside your environment, attacks will land in inboxes, and people will interact with them. The goal is no longer just prevention—it’s rapid detection and response.

Abnormal flips the traditional model. Instead of trying to spot every possible threat, our behavioural AI learns what is normal for your business by building a list of the ‘known-good’ users, partners, and patterns you can trust. When something falls outside that baseline, even if it is subtle or new, it stands out. That is how you catch zero-day attacks and other threats that legacy tools miss.

Abnormal is an AI-native platform, and part of the toolkit ensures analysts are not drowning in alerts or wasting time on false positives. AI Security Mailbox, for example, provides 24/7 triage, bulk-remediating low-risk threats and false alarms, and alerting analysts to the few signals that matter—the spear in a haystack full of needles. That sharper focus is why organisations see their response times drop dramatically when using behavioural AI for email security.

But even with smarter, faster detection, people remain your most unpredictable variable. Human error continues to play a role in the majority of breaches, and without the right support, even well-meaning employees can fall for sophisticated scams.

I recently read an article arguing that businesses should stop using email because securing it is impossible, in part because people keep clicking on malicious links. And who can blame them when phishing attacks are so convincing? It sounds reasonable until you stop to question whether the real problem is that our training hasn’t kept up with the evolving threats.

CISOs report that around 50% of security incidents stem from avoidable user errors. This staggering number suggests something fundamental is wrong with how we prepare people to spot phishing attacks. We’re asking users to identify sophisticated campaigns, but we’re giving them outdated, generic lessons that don’t reflect real inboxes.

Imagine if, instead of check-box phishing training every six months, users learned from actual threats. If a finance team member gets a payment scam or a developer is hit with a GitHub phishing email, that real attack is defanged, and users are immediately coached on what happened and how to spot it next time. Peers also get the same lesson, raising awareness across the team.

That’s the thinking behind Abnormal’s new AI Phishing Coach. It builds on the proven benefits of gamified learning, but goes further by turning real attacks into phishing simulations that help people get better at spotting scams. AI Security Mailbox works alongside the phishing coach. It instantly responds to every employee-reported email with a clear explanation of whether it was safe or malicious. Employees can even ask follow-up questions, making security guidance fast, personal, and always available.

Cybersecurity is often seen as just another cost or compliance checkbox, not a strategic asset. But as attacks grow in scale and sophistication, boards and executives are asking tougher questions—not just whether controls exist, but how well they work and what bottom-line benefits they deliver for the business.

Take risky emails, for example. Legacy tools often apply a warning banner to messages they’re unsure about, effectively shifting the burden of decision-making onto end users. This approach assumes users will make the right call—but in reality, users don’t have a strong track record of recognizing sophisticated threats. In practice, this creates confusion and often increases risk, rather than reducing it.

Abnormal’s approach is fundamentally different. We keep inboxes clean by using advanced AI detection to automatically block or quarantine threats before they reach users. While banners may still be required in industries where regulations mandate email delivery, our position is clear: banners should be used sparingly and intentionally, not as a fallback. In general, we believe giving users the choice to interact with potentially malicious emails is not a good solution. Preventing exposure in the first place is far more effective.

Banners are just one tool. Abnormal has also unified email quarantine controls, so admins can manage both Microsoft and Abnormal quarantines from a single portal. It sounds simple, but it saves real time and overhead.

The biggest shift, though, is in reporting and analytics. Instead of canned reports that miss what leaders care about, Abnormal’s AI Data Analyst lets security teams generate insights on demand, from the organisation’s top attack types to who is being targeted, how users interact with threats, and how performance compares to peers. These are the metrics that matter to the business and show the real value of strong email security.

If Scattered Spider has taught us anything, it’s that CISOs can’t just react to the latest or nearest threat. They have to think ahead and see the bigger picture, and that involves moving away from a patchwork of disparate point products and toward tools that work together. I see this every day with customers who run Abnormal alongside CrowdStrike: when your tools are integrated and interoperable, you close more gaps, cut down on complexity, and give your team the context they need to focus on what matters.

One customer’s experience says it all. They used to have 12 analysts handling phishing reports. After switching to AI-driven automation, nearly all those analysts moved on to higher-value projects. The company saved money, but more importantly, they kept their best talent engaged and focused on work that actually matters, instead of burning out on repetitive tasks.

The shift toward platformisation is urgent now that attackers are using generative AI to research and plan attacks. What took an attacker 40 hours can now be accomplished in 30 seconds.

Too many CISOs are fighting today’s attacks with yesterday’s tools. They’re distracted by links and attachments while the real threats are blending in with normal communication. The solution isn’t more tools, more alerts, or automation. It’s understanding behaviour deeply enough to know when something’s off inside your environment, then acting quickly to neutralise the threat before it can do damage. When attackers can exploit any partner, vendor, or supplier, only integrated, AI-powered security can defend your business from every direction.

Interested in learning more about how Abnormal AI can protect your organisation? Schedule a demo today!