Scattered Spider-Style Crew Hijacks DNS MX Records to Breach Enterprises in Minutes
A threat actor group with tactics similar to Scattered Spider is hijacking DNS MX records to redirect enterprise email traffic to attacker-controlled servers, enabling credential theft and network compromise within minutes.
A threat actor group employing tactics reminiscent of the notorious Scattered Spider collective is actively hijacking DNS MX (Mail Exchange) records to redirect enterprise email traffic to attacker-controlled servers, according to an exclusive report on the Risky Business podcast. The technique allows attackers to compromise targeted organizations within minutes, bypassing traditional phishing or malware delivery methods.
The attack works by compromising DNS management interfaces—often through stolen credentials or by exploiting weak authentication on the domain registrar or DNS hosting provider—and changing the MX records that determine where incoming email is routed. Once the MX records point to the attackers' servers, all email sent to the domain is forwarded to the attackers, who can then harvest credentials, intercept sensitive communications, and use the access to pivot deeper into the victim's network.
This approach is particularly dangerous because it requires no user interaction, no malicious attachments, and no exploitation of email client vulnerabilities. The attackers can effectively become a man-in-the-middle for all inbound email, enabling them to reset passwords, intercept multi-factor authentication tokens, and gain footholds in cloud applications and internal systems. The Risky Business report notes that the group can achieve full enterprise compromise within minutes of changing the MX records.
The tactics align with the operational patterns of Scattered Spider, a financially motivated threat group known for sophisticated social engineering, SIM swapping, and leveraging legitimate tools for post-exploitation. While Scattered Spider has historically targeted telecommunications and technology companies, this new campaign appears to broaden the scope to any organization with poorly secured DNS management.
Organizations are advised to audit their DNS registrar and hosting accounts for unauthorized changes, enable multi-factor authentication on all DNS management portals, and monitor for unexpected MX record modifications. DNS change monitoring and alerting should be considered a critical security control. The attack underscores the importance of treating DNS infrastructure as a high-value target, given its potential to enable rapid, widespread compromise.
The Risky Business episode also covers other major stories, including a 6.3 Tbps DDoS attack against KrebsOnSecurity, law enforcement takedowns of Lumma Stealer and Qakbot, and the guilty plea of an Iranian hacker behind the 2019 Baltimore ransomware attack. However, the MX record hijacking technique stands out as a novel and highly effective vector that security teams must address urgently.