An employee received a vishing call using a fabricated "IT ticket" pretext and was directed to a phishing site impersonating Okta. Security controls blocked the page before any credentials were entered. Detailed analysis of the domain uncovered a favicon, redirect behaviour, and a DOM that led us to over 100 related domains spanning four distinct naming conventions, tied to a phishing kit likely shared across multiple "Com"-affiliated criminal groups. The strongest, most consistent evidence points to Scattered Spider (UNC3944), or a closely affiliated actor using Scattered Spider-consistent infrastructure and tradecraft.
This post summarises findings from a full technical investigation. We'll be publishing a follow-up analyst blog covering our detailed methodology covering threat-actor comparison tables, pivot rule construction, and sector/timeline analysis.
A Call From 'IT'
An employee received an unsolicited call to their personal cell phone from a number displaying a New York-area caller ID, later confirmed to be a legitimate, in-service Verizon landline, almost certainly spoofed rather than attacker-owned.
The caller claimed there was an internal support ticket that needed to be reviewed and closed. When the employee checked the internal ticketing system, no such ticket existed. Instead of treating that as a red flag, the caller pushed forward: the ticket, they said, could only be accessed through an external site. When the employee tried to redirect the call to the official service desk, the caller refused, insisting they'd been specifically routed to this employee directly.
Finally, the caller offered an "alternate way" to access the ticket. When the employee attempted it, the destination site was blocked by existing security controls before any credentials were entered.
What Was Behind the Block
We never fully resolved the malicious page itself. Our own controls blocked it before it could load, and our subsequent attempts to analyse the domain directly were met with anti-sandbox logic. What we could confirm directly from the incident domain was narrower, but still useful: an Okta-branded favicon, and a redirect to google.com whenever the site was accessed by anything that looked automated or non-human.
Additional subsequent information arose from pivoting on this known behaviour - taking those two traits and using them to find and examine other domains built on the same underlying infrastructure, which we could observe in more detail.
Analysis and pivoting uncovered a larger cluster of infrastructure allowing for deeper analysis of the underlying kit. On related domains sharing the same fingerprints, we found:
- A fake Okta and Microsoft login portal, gated behind a convincing but fraudulent Cloudflare CAPTCHA; a real, attacker-owned Cloudflare Turnstile widget wrapped in custom HTML built to visually mimic Cloudflare's own challenge page.

Figure 1. Fake Okta CAPTCHA on credential harvesting page
- A templated, multi-tenant phishing kit. A client-side JSON config dynamically re-brands the page per target organisation — logo, colours, and app name all swap based on which company is being impersonated, while the underlying panel internally refers to itself as an "Okta Dashboard" regardless of which identity provider it's spoofing. We confirmed the same kit also impersonates Microsoft Entra ID on other domains. We can't say for certain whether this is a commercial Phishing-as-a-Service product being sold or rented, or tooling that's simply being shared or reused informally across affiliated operators. However, the templating itself and its reuse across naming conventions tied to different documented threat actors is well evidenced.
- The same google.com anti-analysis redirect we'd already seen on our own incident domain, confirmed again on unrelated domains. This is evidence this is a deliberate, built-in evasion feature of the kit itself, not a one-off configuration.

Figure 2. malicious domain with google.com redirect· The DOM is padded with decoy login forms — hidden, non-functional, deliberately noisy — likely intended to confuse automated phishing-detection tooling that scrapes pages for credential-harvesting form patterns.
None of these individual characteristics were new to us on their own, but the specific combination — favicon, redirect behaviour, CSS naming, decoy forms, and Next.js build architecture — gave us a fingerprint precise enough to hunt with and uncover a larger cluster of domains matching patterns across historical activity linked to multiple COM-affiliated groups.
Analysis Reveals Additional Infrastructure
Using that fingerprint, we ran additional pivots across public datasets. Together, we surfaced over 100 domains tied to the similar activity and the same kit - a much larger footprint than the single incident we started with.
What stood out wasn't just the volume. It was the pattern. The domains split cleanly into four distinct naming conventions, running concurrently on what appears to be shared infrastructure:
Convention | Example | Best Match |
helpdesk-<company>.com / sso-<company>.com / tickets-<company>.com | helpdesk-uber.com, | Scattered Spider |
it.<company>.support | it.labcorp.support | BlackFile/UNC6671 lineage |
<name>.passkey*.com | bessemer.addmypasskey.com | Pink (CL-CRI-1147) |
<brand>-okta.com (older cluster) | asana-okta.com, databricks-okta.com | Scattered Spider (earlier campaign phase) |
Figure 3. table highlighting different domain naming conventions and best threat actor matches
This is strong evidence that the underlying kit isn't exclusive to one operator. Instead it shows it's being run in parallel by multiple financially motivated groups loosely affiliated under the "Com" cyber criminal ecosystem, each stamping it with their own naming habits.
The passkey* cluster is worth calling out specifically. It isn't just a loosely similar naming style: it's a close match to domains previously and independently attributed to Pink (CL-CRI-1147), a separate active extortion group, in prior public reporting (assignpasskey.com, passkeyadd.com, passkeydeploy.com). That's the clearest single piece of evidence in this entire investigation that the kit isn't exclusive to one group: a second, independently documented actor's own naming convention shows up running on what looks like the same underlying infrastructure as the domain that targeted our customer.
Our incident's own domain sat squarely in the largest, most recent and actively growing of these clusters.
Who is responsible?
We evaluated four candidate groups against the full body of evidence: BlackFile (UNC6671), now retired but relevant for lineage; Pink (CL-CRI-1147), an active BlackFile successor; Helix, another active, adjacent cluster; and Scattered Spider (UNC3944), the long-running, well-documented Com-affiliated actor.
Two independent lines of evidence converged on the same answer:
Infrastructure
The incident domain's registrar (NameSilo), naming convention, and Cloudflare-fronted hosting all align with Scattered Spider's documented patterns. Critically, it uses the combination of registrars (NameSilo, Dynadot, NICENIC) seen across the wider pivoted domain set, all of which independently appear in reporting on Scattered Spider and its documented collaboration with ShinyHunters.
Targeting pattern
The sector spread across the pivoted domains with a particular focus in finance, technology, and retail, all of which closely matches Scattered Spider's own documented targeting profile (roughly 70% concentrated in those three sectors). Registration dates cluster most heavily in the two weeks immediately preceding this incident, meaning we caught this campaign mid-acceleration, not at its tail end.
Figure 4. Pie chart demonstrating the targeting distribution linked to the activity
Across every technical and behavioural comparison, we ran, Scattered Spider was the only candidate with zero direct contradictions. Pink and BlackFile's lineage both show up clearly, but in their own naming conventions and pretexts - not this one.
Our assessment: this incident is most likely attributable to Scattered Spider (UNC3944), or a Com-affiliated actor operating shared or rented phishing-kit infrastructure with Scattered Spider–consistent domain naming, registrar selection, and targeting pattern.
That last caveat matters. Given the demonstrated evidence of one kit running under four naming conventions simultaneously, this is best understood as infrastructure and tradecraft attribution — not a courtroom-grade claim that one specific group's operators made this specific call.
What Scattered Spider Typically Does Next
We did not observe any successful compromise in this incident — access was blocked before any credential was entered. But based on Scattered Spider's well-documented playbook, organizations facing similar activity should watch for:
· Rapid registration of a new MFA method on any compromised account, often within minutes of a successful login
· Use of legitimate remote-access tools (TeamViewer, AnyDesk, ScreenConnect) rather than custom malware, to blend into normal IT activity
· Enumeration and lateral movement inside Microsoft 365/Azure or Okta-federated environments
· In more advanced intrusions, direct targeting of virtualization infrastructure (VMware vCenter/ESXi) as a precursor to fast, targeted ransomware deployment
· Data staged from cloud storage and collaboration platforms (SharePoint, OneDrive, Teams) ahead of an extortion demand, sometimes delivered through the victim's own compromised communication channels
Recommendations
· Verify the targeted account. Even where access was blocked, review sign-in logs, MFA/device registration events, and active session tokens for the relevant window to rule out partial capture.
· Hunt for the kit fingerprint across your own environment. The favicon hash, redirect behaviour, and DOM signature described above can be applied against email security and web proxy logs to check for delivery to other employees.
· Block and monitor the full indicator list (below) at the email gateway, DNS resolver, and web proxy — not just the domain involved in this specific incident.
· Scrutinize personal-device contact. This attack specifically avoided the corporate phone system. Consider whether "IT support" calls to personal devices should trigger mandatory callback verification through a known internal number.
· Treat a missing ticket as an escalation trigger, not a workaround prompt. The pretext here relied on the employee not treating "the ticket doesn't exist" as suspicious enough to end the call.
· Watch for lookalike domains against your own brand. Given the naming conventions identified here (helpdesk-, sso-, tickets-<yourcompany>), a standing detection rule for new registrations matching this pattern is a low-cost, high-value addition.
Indicators of Compromise
Full List of Targeted Organisationshelpdesk- / sso- / tickets- Convention
Possible Org | Sector | Domain(s) |
Regeneron | Pharma/Biotech | helpdesk-regeneron[.]com |
BMC Software | Technology | helpdesk-bmc[.]com |
Alliant | Insurance/Finance | helpdesk-alliant[.]com |
Tenet Healthcare | Healthcare | helpdesk-tenet[.]com |
CoverMyMeds | Healthcare | helpdesk-cmm[.]com |
Express Scripts (Cigna) | Healthcare/PBM | sso-express-scripts[.]com, helpdesk-express-scripts[.]com |
| ||
Chime | Fintech | sso-chime[.]com |
Abbott | Healthcare/MedTech | helpdesk-abbott[.]com, tickets-abbott[.]com |
Enova International | Fintech | helpdesk-enova[.]com, sso-enova[.]com |
FMC Corporation | Chemicals/Industrial | helpdesk-fmc[.]com |
JetBlue | Aviation | helpdesk-jetblue[.]com |
Insulet | MedTech | helpdesk-insulet[.]com |
ServiceNow | Technology/SaaS | helpdesk-servicenow[.]com |
Ralph Lauren | Retail/Luxury | helpdesk-ralphlauren[.]com |
Choice Hotels | Hospitality | helpdesk-choicehotels[.]com |
Western Union | Fintech | helpdesk-westernunion[.]com |
Function Health | Healthcare | helpdesk-functionhealth[.]com |
Zillow | Real Estate/Tech | helpdesk-zillow[.]com |
CNA Financial | Insurance | helpdesk-cna[.]com |
Vanguard | Finance | tickets-vanguard[.]com, helpdesk-vanguard[.]com |
Nike | Retail | helpdesk-nike[.]com |
Compass | Real Estate | helpdesk-compass[.]com |
RingCentral | Technology/UC | helpdesk-ringcentral[.]com |
Affirm | Fintech | helpdesk-affirm[.]com |
BlackRock | Finance | helpdesk-blackrock[.]com |
KKR & Co. | Finance/PE | helpdesk-kkr[.]com |
Uber | Technology/Transport | helpdesk-uber[.]com |
Empower Retirement | Finance | helpdesk-empower[.]com |
JLL | Real Estate | helpdesk-jll[.]com |
1Password | Technology/Identity | helpdesk-1password[.]com |
Sun Life Financial | Finance/Insurance | helpdesk-sunlife[.]com |
Phreesia | Healthcare Tech | helpdesk-phreesia[.]com |
athenahealth | Healthcare Tech | helpdesk-athenahealth[.]com |
Nordstrom | Retail | tickets-nordstrom[.]com |
it.<company>.support / .help Convention
Possible Org | Sector | Domain |
Collective Health | Healthcare | it[.]collectivehealth[.]support |
Spring Health | Healthcare | it[.]springhealth[.]support |
Lifepoint Health | Healthcare | it[.]lifepointhealth[.]support |
Cigna | Healthcare | it[.]cigna[.]support |
AssuredPartners | Insurance | it[.]assuredpartners[.]support |
OneAmerica | Insurance | it[.]oneamerica[.]support |
Magellan Health | Healthcare | it[.]magellanhealth[.]support |
Air Methods | Aviation | it[.]airmethods[.]help |
LHC Group | Healthcare | it[.]lhcgroup[.]support |
Guardant Health | Healthcare | it[.]guardanthealth[.]support |
Franklin Templeton | Finance | it[.]franklintempleton[.]support |
Energy Transfer | Energy | it[.]energytransfer[.]support |
RWJBarnabas Health | Healthcare | it[.]rwjbh[.]support |
Sinai Health | Healthcare | it[.]sinaihealth[.]support |
Baptist Health | Healthcare | it[.]baptisthealth[.]support |
agilon health | Healthcare | it[.]agilonhealth[.]support |
Light & Wonder | Gaming | it[.]lightnwonder[.]support |
Labcorp | Healthcare | it[.]labcorp[.]support |
Camping World | Retail | it[.]campingworld[.]support |
Bayada Home Health | Healthcare | it[.]bayada[.]support |
Pacific Life | Insurance | it[.]pacificlife[.]support |
Guardian Life | Insurance | it[.]guardianlife[.]support |
PSEG | Energy | it[.]pseg[.]support |
Prime Therapeutics | Healthcare/PBM | it[.]primetherapeutics[.]support |
bet365 | Gaming | it[.]bet365group[.]support |
Fanatics | Retail | it[.]fanaticsinc[.]support |
Instacart | Tech/Retail | it[.]instacart[.]management |
GOAT Group | Retail | it[.]goatgroup[.]support |
DriveTime | Automotive | it[.]drivetime[.]support |
Novant Health | Healthcare | it[.]novanthealth[.]support |
CME Group | Finance | it[.]cmegroup[.]support |
Flock Safety | Technology | it[.]flocksafety[.]support |
Caesars Entertainment | Gaming/Hospitality | it[.]caesars[.]support |
Brookdale Senior Living | Healthcare | it[.]brookdale[.]support |
Cardinal Health (B2E) | Healthcare | it[.]cardinalb2e[.]support |
Station Casinos | Gaming | it[.]stationcasinos[.]support |
Sun Country Airlines | Aviation | it[.]suncountry[.]support |
Welltower | Healthcare REIT | it[.]welltower[.]support |
Upstart | Fintech | it[.]upstart[.]support |
Acxiom | Data/Marketing | it[.]acxiom[.]support |
passkey* Convention
Possible Org | Sector | Domain |
Toast | Restaurant Tech/POS | toast[.]passkeyregister[.]com |
DNOW Inc. | Industrial Distribution | dnow[.]passkeyhelpdesk[.]com |
Marvell Technology | Semiconductors | marvell[.]registerpasskey[.]com |
Palomar Holdings | Insurance | plmr[.]registerpasskey[.]com |
Intuitive Surgical | MedTech | intuitive[.]registerpasskey[.]com |
ICANN (likely test/decoy target) | N/A | icann[.]registerpasskey[.]com |
Bessemer Venture Partners | Finance/VC | bessemer[.]addmypasskey[.]com |
HEICO Corp | Aerospace/Industrial | heico[.]passkeyuser[.]com |
Dechert LLP | Legal | dechert[.]passkeyuser[.]com |
(ambiguous — "abc") | Unknown | abc[.]passkeycreate[.]com |
RaceTrac | Retail/Convenience | racetrac[.]passkeysupport[.]com |
Workday | Technology/SaaS | workday[.]addoktapasskey[.]com |
Circle | Fintech | circle[.]addoktapasskey[.]com |
Legacy <brand>-okta.com Typosquat Convention
Possible Org | Sector | Domain |
Databricks | Technology | databricks-okta[.]com |
(generic/unclear) | N/A | home-okta[.]com, www[.]home-okta[.]com |
Asana | Technology/SaaS | asana-okta[.]com |
SmartBear | Technology | okta-smartbear[.]com, smartbear-okta[.]com |
Dialpad | Technology/UC | okta-dialpad[.]com |
Avoxi | Technology/Telecom | avoxi-okta[.]com |
(generic) | N/A | secure[.]oktauth[.]com |
AWAC (Argo Group brand) | Insurance | aw-okta[.]awac-portal[.]com |
mParticle (typosquat domain) | Technology | okta[.]mparticie[.]com |
Intercom (typosquat domain) | Technology | okta[.]lntercom[.]io |
Galaxy Digital (typosquat domain) | Fintech/Crypto | okta[.]galaxydigltal[.]io |
Ardelyx (typosquat domain) | Pharma/Biotech | ardelyx-okta[.]arclelyx[.]com |
Jumio | Identity Verification | login-jumio[.]com |