Human Risk Roundup: Scattered Spider targets insurance firms

In this edition of the Human Risk Roundup, Scattered Spider, a cybercriminal group known for its sector-specific focus, has zeroed in on insurance companies in its latest wave of attacks. And Google threat researchers warn that a sophisticated phishing campaign is targeting academics and critics of Russia by posing as the U.S. Department of State. 

Scattered Spider spins its web around the insurance sector 

The threat group responsible for a recent series of attacks on UK retailers is now setting its sights on insurance firms. Scattered Spider, also known as UNC3944, is known for its advanced social engineering tactics and also for targeting one sector at a time. Three insurers were hit with attacks in a five-day period this month.  

What happened 

"Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry," chief GTIG analyst John Hultquist said in an email to multiple media outlets. The group uses social engineering schemes to exploit help desks and call centers. Threat actors impersonate employees and use psychological maneuvers to deceive IT teams into bypassing multi-factor authentication (MFA) and other access controls.  

Why it matters 

The entrance of Scattered Spider into the insurance sector not only poses direct risks to insurers' operations but can also expose policyholder records and sensitive information. These attacks take advantage of the sector's reliance on help desks and large employee footprints. Given the group’s reported affiliation with ransomware actors and its recent partnerships in the cybercriminal landscape, this shift in focus could result in severe data breaches and extortion events for an industry heavily reliant on trust. 

Practical tips for security leaders in the insurance industry 

Enhance awareness of social engineering tactics: Ensure help desk employees and frontline staff are trained to recognize impersonation attempts and respond appropriately to suspicious interactions. 

Encourage employee validation processes: Implement clear protocols for verifying employee identities before granting access to sensitive systems or resetting account credentials. 

Monitor email-related behaviors closely: Regularly review email activity for signs of compromise, such as unusual forwarding rules, unexpected password reset requests, or access from unfamiliar locations. 

Read more in The Hacker News. 

Russian cyber attackers impersonate U.S. State Department 

A sophisticated phishing campaign by Russian state-sponsored group UNC6293 has taken aim at influential individuals, like academics and critics of Russia, by posing as the U.S. Department of State. The campaign highlights the rising threat of targeted social engineering attacks that exploit trust to bypass even advanced security controls. 

What happened 

From April to June 2025, UNC6293 carried out two coordinated phishing campaigns aimed at gaining long-term access to victims’ email accounts. The attackers sent well-crafted emails using spoofed U.S. State Department addresses to appear credible. Once victims responded, the hackers guided them to create Application Specific Passwords (ASPs) —16-character codes designed for third-party app access to Google accounts. 

The attackers used these ASPs to log into victims’ email accounts via mail clients and gained long-term access to their accounts. Two approaches were identified: one used a State Department-themed lure, and the other adopted Ukrainian and Microsoft branding to increase its appeal. Both campaigns relied on residential proxies and other infrastructures to hide their activities and maintain access. 

Why it matters 

UNC6293’s tactics show how targeted human manipulation can help attackers sidestep strong security measures like multi-factor authentication (MFA). By gaining insider-level email access, these actors can monitor sensitive communications, steal data, and position themselves for further exploitation. This campaign is a stark reminder that phishing isn’t just a spray-and-pray tactic anymore; it’s a calculated strategy that preys on trust and human vulnerabilities. 

Practical tips for security leaders 

Strengthen protections against phishing emails: Implement systems that proactively detect and block suspicious emails, including those with spoofed sender addresses or links designed to steal credentials. 

Flag and verify external communications: Use measures to alert employees to potential risks in emails from unverified external sources, helping them scrutinize unusual communication attempts. 

Monitor and audit account activity: Regularly check login behavior and account access patterns for anomalies such as login from unknown locations or unauthorized devices. 

Elevate user awareness: Provide ongoing education to employees about emerging phishing tactics, empowering them to identify and report tailored scams that target human vulnerabilities. 

 What to watch: DHS warns of cyberattacks from Iran 

The Department of Homeland Security (DHS) is warning about the potential for increased malicious cyber activity from Iran following U.S. military strikes on Iranian nuclear facilities. The bulletin cautions that Iranian operatives and supportive hacktivists are likely to conduct low-level cyberattacks against U.S. networks in retaliation. 

In addition to cyber threats, the DHS highlighted a heightened risk to the safety of U.S. government officials and critics of the Iranian regime. Iranian-linked hackers have a history of targeting poorly secured critical infrastructure, including water utilities and technology companies. 

Read more about this developing news in Cybersecurity Dive. 

Mimecast Threat Intelligence: New wave of Astaroth Infostealer campaign 

Samantha Clarke and the Mimecast Threat Research team have uncovered a new wave of the Astaroth Infostealer campaign, a sophisticated malware operation targeting Latin America, particularly Brazil and Mexico. This sophisticated malware, active since 2017, employs fileless attack techniques to evade detection and utilizes phishing emails to initiate infections. Victims are lured into clicking malicious links that download obfuscated JavaScript, allowing the malware to steal sensitive information such as banking credentials. 

Astaroth's operations are characterized by geofencing and tailored social engineering tactics, making it particularly effective in its targeted regions. With a staggering daily distribution of up to 100,000 phishing emails, the campaign poses a significant threat. Organizations are urged to enhance their email security measures and user awareness to combat this evolving threat.  

For more Astaroth Infostealer information, visit our Threat Intelligence Hub.