On July 9, 2025, the UK’s National Crime Agency (NCA) arrested four individuals, aged 17 to 20, in connection with coordinated cyberattacks targeting UK retailers M&S, Co-op, and Harrods. The attacks are attributed to the threat actor group known as Scattered Spider and involved advanced social engineering techniques, phishing emails, and infostealer malware.

Customer data including names, addresses, and payment information was compromised. The attackers used tailored phishing campaigns to trick employees into launching malware payloads, leading to credential theft and unauthorized access across internal systems.

Date of Incident: July 9, 2025
Threat Actor: Scattered Spider (alleged)
Attack Type: Social Engineering, Phishing, Malware Deployment

Explanation

The campaign began with phishing emails impersonating legitimate brands or partners. These emails contained malicious attachments such as disguised executables (e.g., invoice.pdf.exe), which, when opened, installed infostealer malware like Lumma or RedLine.

Once executed, the malware harvested login credentials and customer data from the infected endpoints. Attackers moved laterally through the network, exfiltrating data to remote servers. Despite employee awareness training at most impacted organizations, the social engineering tactics were convincing enough to bypass standard human defenses.

Impact

Data Breach: Personally Identifiable Information (PII) such as names, addresses, and payment data was stolen.

Financial Loss: Organizations faced potential fraud claims, notification costs, and customer compensation.

Reputation Damage: Trust in affected retail brands was compromised.

Regulatory Scrutiny: Possible investigations and fines under GDPR and UK data protection laws.

MITRE ATT&CK Mapping

Tactic: Initial Access (TA0001): T1566 – Phishing (emails carrying malicious attachments)

Tactic: Execution (TA0002): T1204 – User Execution (malware launched via user interaction)

Tactic: Collection (TA0009): T1005 – Data from Local System (gathered stored credentials and files)

Tactic: Exfiltration (TA0010): T1041 – Exfiltration Over C2 Channel (sent data to external servers)

IOCs

Domains: malicious-login[.]com (example phishing domain)

IP Addresses: 185.199.108.133 (example command-and-control server)

File Hashes: Not publicly disclosed

File Names: invoice.pdf.exe

Log Artifacts

Jul 09 2025 08:12:45 [Email-Gateway] Inbound email from [email protected]
Jul 09 2025 08:13:10 [Endpoint] File execution: C:\Users\employee\invoice.pdf.exe
Jul 09 2025 08:14:22 [Firewall] Outbound connection to 185.199.108.133

Remediation

Vendor Patch Guidance: Ensure all endpoint protection tools are updated to detect known infostealers like Lumma and RedLine.

Temporary Mitigations: Block all known phishing domains and implement tighter email gateway filters to flag impersonation attempts.

Known Workarounds: Reinforce phishing training campaigns and deploy attachment sandboxing at email ingress points.

Threat Hunting Recommendations

Log Correlation: Review email gateway logs for unusual sender domains and endpoints for execution of unauthorized files.

YARA Rule:

bash

rule Phishing_Malware {

meta:

description = "Detects phishing-delivered malware"

author = "FireCompass Threat Research"

strings:

$s1 = "invoice.pdf.exe" ascii

condition:

uint16(0) == 0x5A4D and $s1

}

Anomalous Traffic: Monitor for outbound connections to unknown IP addresses shortly after email interactions.

Takeaway for CISOs

Social engineering remains one of the most effective and difficult-to-detect attack vectors. Even trained employees can fall victim to convincing phishing emails. CISOs must adopt a layered defense that includes robust email filtering, behavioral endpoint detection, proactive phishing simulations, and rapid incident response protocols.