In April 2025, British retail giant Marks & Spencer (M&S) was hit by a devastating ransomware attack that disrupted operations, paused online orders, and caused widespread financial damage. Nearly £700 million was wiped from its market valuation, and customers experienced delays, store issues, and service outages.
The group behind this attack? A sophisticated hacking gang known as Scattered Spider — infamous for using social engineering and Active Directory exploitation to gain full control over corporate networks.
So what exactly went wrong — and how can your organization avoid becoming the next headline?
What Happened in the Marks & Spencer Hack?
- Initial Access: Attackers used social engineering and phishing tactics to bypass login credentials, exploiting MFA fatigue (where users accidentally approve login prompts).
- Privilege Escalation: Once inside, they accessed the NTDS.dit file — a critical Active Directory database containing password hashes.
- Lateral Movement: The group cracked the hashes offline, escalated privileges, and moved laterally across the network.
- Ransomware Deployed: They encrypted systems using DragonForce ransomware on VMware ESXi hosts, crippling virtual infrastructure and key operations.
7 Key Steps to Prevent a Cyber Attack Like This
Here’s how you can strengthen your cyber defenses and reduce the risk of a similar incident:
1. Implement Phishing-Resistant Multi-Factor Authentication (MFA)
- Use number matching in Microsoft Authenticator.
- Consider hardware keys like FIDO2 (YubiKeys) for admin accounts.
- Block legacy authentication protocols that bypass MFA.
Why it matters: Scattered Spider often uses MFA fatigue attacks — don’t let users be your weakest link.
2. Harden Active Directory and Protect NTDS.dit
- Enable LSASS protection to block credential theft tools.
- Regularly rotate admin passwords and audit AD group memberships.
- Use a tiered admin model to isolate Domain Admin access.
- Disable unnecessary SMB access to prevent lateral movement.
Why it matters: Access to NTDS.dit is a game over scenario — they can get every user’s password hash.
3. Segment and Secure Virtual Infrastructure
- Limit access to VMware ESXi hosts with strict firewall rules.
- Disable SSH and open ports where not needed.
- Use SIEM tools like Microsoft Sentinel to monitor changes and login attempts.
- Encrypt backups and test disaster recovery regularly.
Why it matters: Attackers encrypted VMs across the network. Isolating hypervisors limits the blast radius
4. Monitor for Lateral Movement and Threat Indicators
- Deploy Microsoft Defender for Identity to detect:
- Pass-the-Hash attacks.
- Kerberos ticket theft.
- Suspicious privilege escalations.
- Centralize logs in Sentinel, Splunk, or CrowdStrike and define custom detection rules.
Why it matters: Attackers don’t stop at the first machine. Early detection prevents full domain compromise.
5. Secure Remote Access and Reduce Attack Surface
- Enforce Conditional Access:
- Only compliant devices.
- Only corporate IP ranges.
- Geo-restrictions (e.g., block logins from Russia, China, etc.).
- Patch known VPN and RDP vulnerabilities (e.g., Fortinet, Citrix, SonicWall).
- Block unused ports, protocols, and external management interfaces.
Why it matters: Remote access is often the first door attackers knock on.
6. Backup Everything — Then Test Restores
- Maintain offline, immutable backups of:
- Active Directory.
- VMs.
- Customer databases.
- Regularly test full restore scenarios and validate RTO/RPO targets.
Why it matters: Backups are your last line of defense — but only if they work when you need them.
7. Train Your Users, Especially Admins
- Run quarterly phishing simulations.
- Educate on MFA fatigue and credential hygiene.
- Provide “red flag” checklists for high-risk departments (IT, HR, Finance).
Why it matters: Most breaches start with a simple click — users are your first firewall.
Bonus Tip: Measure and Improve Security Posture Continuously
- Use Microsoft Secure Score and Compliance Manager.
- Run regular audits with InfraSOS, Prowler Cloud Security Assessment, or Defender for Cloud.
- Perform CIS/NIST assessments quarterly to stay ahead of compliance requirements.
Try our Active Directory Reporting & Auditing Platform
Try us out for Free. AD Reporting & Auditing SaaS. Audit, Report & Monitor Active Directory, Azure AD & Office 365.
Conclusion: Learn from M&S Hack - Don’t Be the Next Target
The Marks & Spencer hack is a wake-up call. It shows how even well-resourced enterprises can be breached through human error and legacy vulnerabilities.
But the tools to defend against these threats already exist — they just need to be implemented correctly and consistently.
Protect your business. Train your people. Harden your infrastructure.
And always prepare for the worst while building for the best.
Need help with Microsoft 365 or Active Directory security audits? Try InfraSOS
