Home 
On July 9, 2025, the UK’s National Crime Agency (NCA) arrested four individuals, aged 17 to 20, in connection with coordinated cyberattacks targeting UK retailers M&S, Co-op, and Harrods. The attacks are attributed to the threat actor group known as Scattered Spider and involved advanced social engineering techniques, phishing emails, and infostealer malware.
Customer data including names, addresses, and payment information was compromised. The attackers used tailored phishing campaigns to trick employees into launching malware payloads, leading to credential theft and unauthorized access across internal systems.
Date of Incident: July 9, 2025
Threat Actor: Scattered Spider (alleged)
Attack Type: Social Engineering, Phishing, Malware Deployment
Explanation
The campaign began with phishing emails impersonating legitimate brands or partners. These emails contained malicious attachments such as disguised executables (e.g., invoice.pdf.exe), which, when opened, installed infostealer malware like Lumma or RedLine.
Once executed, the malware harvested login credentials and customer data from the infected endpoints. Attackers moved laterally through the network, exfiltrating data to remote servers. Despite employee awareness training at most impacted organizations, the social engineering tactics were convincing enough to bypass standard human defenses.
Impact
Data Breach: Personally Identifiable Information (PII) such as names, addresses, and payment data was stolen.
Financial Loss: Organizations faced potential fraud claims, notification costs, and customer compensation.
Reputation Damage: Trust in affected retail brands was compromised.
Regulatory Scrutiny: Possible investigations and fines under GDPR and UK data protection laws.
MITRE ATT&CK Mapping
Tactic: Initial Access (TA0001): T1566 – Phishing (emails carrying malicious attachments)
Tactic: Execution (TA0002): T1204 – User Execution (malware launched via user interaction)
Tactic: Collection (TA0009): T1005 – Data from Local System (gathered stored credentials and files)
Tactic: Exfiltration (TA0010): T1041 – Exfiltration Over C2 Channel (sent data to external servers)
IOCs
Domains: malicious-login[.]com (example phishing domain)
IP Addresses: 185.199.108.133 (example command-and-control server)
File Hashes: Not publicly disclosed
File Names: invoice.pdf.exe
Log Artifacts
Jul 09 2025 08:12:45 [Email-Gateway] Inbound email from [email protected]
Jul 09 2025 08:13:10 [Endpoint] File execution: C:\Users\employee\invoice.pdf.
Jul 09 2025 08:14:22 [Firewall] Outbound connection to 185.199.108.133
Remediation
Vendor Patch Guidance: Ensure all endpoint protection tools are updated to detect known infostealers like Lumma and RedLine.
Temporary Mitigations: Block all known phishing domains and implement tighter email gateway filters to flag impersonation attempts.
Known Workarounds: Reinforce phishing training campaigns and deploy attachment sandboxing at email ingress points.
Threat Hunting Recommendations
Log Correlation: Review email gateway logs for unusual sender domains and endpoints for execution of unauthorized files.
YARA Rule:
rule Phishing_Malware {
meta:
description = "Detects phishing-delivered malware"
author = "FireCompass Threat Research"
strings:
$s1 = "invoice.pdf.exe" ascii
condition:
uint16(0) == 0x5A4D and $s1
}
Anomalous Traffic: Monitor for outbound connections to unknown IP addresses shortly after email interactions.
Takeaway for CISOs
Social engineering remains one of the most effective and difficult-to-detect attack vectors. Even trained employees can fall victim to convincing phishing emails. CISOs must adopt a layered defense that includes robust email filtering, behavioral endpoint detection, proactive phishing simulations, and rapid incident response protocols.
FireCompass Can Identify Weaknesses In Email Defenses & Social Engineering Resistance.
Start your free trial today and assess your exposure before real attackers do: Start Free Trial
