C0027: C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]
Analyst context for executives and security teams
C0027 matters because it combines financially motivated targeting of telecommunications and BPO environments with social engineering, SIM swapping, cloud/account abuse, and attempts to use victim access toward mobile carrier networks. For leaders, the key lesson is that identity operations, help desk processes, cloud administration, and remote access controls can become business-critical attack surfaces—not just technical controls.
Executive priority
Prioritize this as an identity and operational resilience scenario, especially for organizations with telecom, BPO, outsourced support, CRM, or carrier-adjacent access. Executives should ask whether MFA enrollment, SIM-swap-related workflows, privileged cloud role changes, remote access, and third-party access paths produce auditable evidence fast enough for incident response and compliance review. Budget and control decisions should focus on reducing social-engineering success, limiting valid-account blast radius, and proving visibility across cloud, identity provider, Windows domain, remote service, and collaboration platforms.
Technical view
ATT&CK provides no campaign-level detection text or platforms for C0027, so defenders should scope validation from the listed relationships. The campaign is attributed to Scattered Spider and uses techniques spanning initial access, persistence, privilege escalation, credential access, discovery, lateral movement, collection, command and control, and defense impairment. SOC and IR teams should validate coverage for voice-based social engineering, cloud account use, MFA/device registration changes, cloud role and credential additions, external remote service logons, public-facing application exposure, DCSync-style domain replication abuse, WMI execution, cloud and email account enumeration, SharePoint/cloud storage access, remote desktop software, proxy/tunneling behavior, web service C2, ingress tool transfer, network service discovery, and cloud instance creation.
Likely telemetry
- Identity provider sign-in logs, conditional access decisions, MFA events, and device registration records
- Help desk, account recovery, SIM-swap, and privileged support workflow records where applicable
- Cloud audit logs for role assignment, credential/key addition, service principal/application changes, cloud account and group enumeration, and instance creation
- VPN, Citrix, remote access gateway, and other external remote service authentication logs
- Windows domain controller security logs and directory replication activity relevant to DCSync detection
Detection direction
- Because official detection guidance is not provided, start with control-evidence validation: confirm the organization can reconstruct identity changes, remote access, cloud admin actions, and privileged directory activity across the full incident timeline.
- Correlate suspicious valid-account activity with new MFA/device registration, added cloud credentials, added cloud roles, unusual cloud group/account enumeration, and access to collaboration or cloud storage repositories.
- Tune detections for DCSync and Impacket-like activity around domain controllers, while accounting for legitimate backup, identity synchronization, and administrative replication activity.
- Monitor WMI execution, remote desktop software, ingress tool transfer, and network service discovery together rather than as isolated events; each may be legitimate alone but material in sequence after unusual identity activity.
- Review remote service access for impossible travel, new devices, atypical source networks, abnormal session duration, and access by accounts tied to support or administrative functions.
Mitigation priorities
- Harden identity verification and help desk/account recovery workflows, especially MFA reset, device enrollment, privileged support, and SIM-swap-related processes where relevant.
- Enforce least privilege for cloud and directory roles; regularly review who can add credentials, assign roles, register devices, or perform directory replication-sensitive actions.
- Require strong MFA and monitor for new device registration or MFA factor changes; restrict self-service enrollment and recovery paths for privileged or high-risk users.
- Reduce external remote service exposure through access policy, segmentation, strong authentication, logging, and regular review of inactive or overprivileged accounts.
- Prioritize vulnerability management for Internet-facing applications and remote access services because T1190 and T1133 are in the campaign relationship set.
Analyst notes and limits
This take is based on the official ATT&CK C0027 campaign description, the cited CrowdStrike reference entry, and ATT&CK relationships showing attribution to Scattered Spider and use of Impacket plus listed techniques. The strongest defensive interpretation is identity-centric: the supplied relationships emphasize valid cloud accounts, cloud role/credential changes, device registration, remote services, discovery, collection from cloud/SaaS repositories, and Windows domain credential-access behavior.
ATT&CK does not provide official detection text, campaign-level platforms, or campaign-level tactics for C0027 in the supplied fields. The telemetry and control guidance are therefore derived from the official relationships and must be validated against the local environment, actual cloud/SaaS stack, telecom/BPO exposure, logging retention, and support-process design. This summary does not assert current activity, customer exposure, or guaranteed detection coverage.
C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1684.001 | Impersonation Sub-technique | During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1572 | Protocol Tunneling | During C0027, Scattered Spider used SSH tunneling in targeted environments.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1190 | Exploit Public-Facing Application | During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1087.004 | Cloud Account Sub-technique | During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1102 | Web Service | During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1069.003 | Cloud Groups Sub-technique | During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1598.004 | Spearphishing Voice Sub-technique | During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1003.006 | DCSync Sub-technique | During C0027, Scattered Spider performed domain replication.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | During C0027, Scattered Spider downloaded tools using victim organization systems.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1098.003 | Additional Cloud Roles Sub-technique | During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1578.002 | Create Cloud Instance Sub-technique | During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1046 | Network Service Discovery | During C0027, used RustScan to scan for open ports on targeted ESXi appliances.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1021.007 | Cloud Services Sub-technique | During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1213.002 | Sharepoint Sub-technique | During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | During C0027, Scattered Spider leveraged compromised credentials from victim users to authenticate to Azure tenants.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1087.003 | Email Account Sub-technique | During C0027, Scattered Spider accessed Azure AD to identify email addresses.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1598.001 | Spearphishing Service Sub-technique | During C0027, Scattered Spider sent Telegram messages impersonating IT personnel to harvest credentials.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1621 | Multi-Factor Authentication Request Generation | During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1098.005 | Device Registration Sub-technique | During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims' VPN.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1098.001 | Additional Cloud Credentials Sub-technique | During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1133 | External Remote Services | During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1530 | Data from Cloud Storage | During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | During C0027, Scattered Spider obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1589.001 | Credentials Sub-technique | During C0027, Scattered Spider sent phishing messages via SMS to steal credentials.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1090 | Proxy | During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.CitationCrowdstrike TELCO BPO Campaign December 2022 |
| Enterprise | T1566.004 | Spearphishing Voice Sub-technique | During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.CitationCrowdstrike TELCO BPO Campaign December 2022 |
Groups, software, and campaigns
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
S0357: Impacket
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 243ae979ca72… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Crowdstrike TELCO BPO Campaign December 2022
Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
Open source URL -
[2]
mitre-attack C0027Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.