Overview

• ReliaQuest identified a 12% increase in domains targeting banks and insurers since July, contributing to roughly 700 campaign-related phishing sites in 2025.
• Several hundred phishing domains share naming conventions and registrar details with Scattered Spider, but definitive attribution to a single group remains inconclusive.
• Attackers continue to exploit vishing, help-desk impersonation and malicious OAuth applications to harvest Salesforce credentials and exfiltrate customer data.
• A user calling themselves “Sp1d3rhunters” on BreachForums has claimed ShinyHunters and Scattered Spider are identical, reinforcing evidence of intergroup overlap.
• Security experts advise prioritizing phishing-resistant MFA, stringent OAuth app approvals and staff training to track evolving TTPs rather than relying on static IOCs.