Following the FBI’s recent warning on Social Media about Scattered Spider’s use of social engineering and keyword-driven deception, Doppel conducted a focused review of domain detections using known attacker patterns and keyword indicators linked to the group and similar threat actors. By analyzing keyword trends noted by the FBI and reported in media outlets, Doppel has identified a network of parked domains and subdomains that align with the tactics, techniques, and procedures (TTPs) employed by Scattered Spider.
Our investigation focused on critical infrastructure clients, with the highest volume of keyword specific domain detections amongst the aviation and oil and gas sectors. Doppel discovered that several parked domains and subdomains matched the detailed patterns associated with Scattered Spider's operations. These findings underscore the group's strategic use of domain infrastructure to facilitate their cyberattacks.
Background
Scattered Spider is known for its sophisticated social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access to internal company networks. Their methods frequently involve bypassing multi-factor authentication (MFA), for example by convincing help desk services to add unauthorized MFA devices to compromised accounts. The group's activities have expanded to target various sectors, including aviation, insurance, and now, critical infrastructure.
This blog analyzes the most targeted domain keywords detected by Doppel over the past three months and provides a defense-in-depth perspective for defenders to proactively neutralize these threats.
Between March 30, 2025 and June 30, 2025, Doppel observed a sustained uptick in malicious domain activity mimicking enterprise infrastructure and authentication services, aligning closely with techniques attributed to the threat actor Scattered Spider. Known for sophisticated social engineering, SIM swapping, and phishing campaigns targeting identity and access management (IAM) systems, Scattered Spider has increasingly exploited lookalike domains to impersonate corporate portals and MFA services.
Doppel Vision’s telemetry highlights domain spoofing activity across several key themes associated with internal access, support services, and IAM platforms. Below are the most frequently detected and actioned domain keywords across all industries.
These patterns reflect an evolving threat landscape where impersonating remote access portals (vpn, connect) and IAM providers (okta, sso) is central to the attacker’s social engineering strategy — a hallmark of Scattered Spider’s operations.
Scattered Spider has demonstrated persistent interest in targeting industries with large distributed workforces and reliance on federated identity systems. According to recent FBI alerts, their playbook includes:
Doppel’s detection data reveals overlapping domain activity consistent with these tactics — especially across ‘support’, ‘vpn’, ‘okta’, and ‘helpdesk’ keywords.
Although Doppel's findings align with known Scattered Spider campaigns, domain impersonation is a tactic shared across multiple threat actors. Monitoring these trends enables organizations to defend not just against specific groups, but against the broader techniques they exploit.
Defenders must think in terms of:
Based on current trends and industry threat intelligence:
Doppel’s domain monitoring and takedown infrastructure provides multiple layers of proactive defense:
Doppel will continue to monitor domain abuse trends and share any further insights.
With AI powered social engineering attacks on the rise, it’s increasingly important for businesses to protect themselves against a potential breach. Learn more about how Doppel is securing brands, executives and consumers against social engineering threats here.