{"description": "Enterprise techniques used by Scattered Spider, ATT&CK group G1015 (v2.0)", "name": "Scattered Spider (G1015)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) leverages legitimate domain accounts to gain access to the target environment.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.003", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed Azure AD to identify email addresses.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1087.004", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.001", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used aws_consoler  to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1098.003", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used IAM manipulation to gain persistence and to assume or elevate privileges.(Citation: Crowdstrike TELCO BPO Campaign December 2022)\n\n[Scattered Spider](https://attack.mitre.org/groups/G1015) has also assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.(Citation: MSTIC Octo Tempest Operations October 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used IAM manipulation to gain persistence and to assume or elevate privileges.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1098.005", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) registered devices for MFA to maintain persistence through victims' VPN.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) retrieves browser histories via infostealer malware such as Raccoon Stealer.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1580", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) enumerates cloud environments to identify server and backup management infrastructure, resource access, databases and storage containers.(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1538", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) abused AWS Systems Manager Inventory to identify targets on the compromised network prior to lateral movement.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1136", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) creates new user identities within the compromised organization.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1486", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used BlackCat ransomware to encrypt files on VMWare ESXi servers.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1530", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) enumerates data stored in cloud resources for collection and exfiltration purposes.(Citation: CISA Scattered Spider Advisory November 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1213", "showSubtechniques": true}, {"techniqueID": "T1213.002", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1213.003", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) enumerates data stored within victim code repositories, such as internal GitHub repositories.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.005", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) threat actors search the victim\u2019s Slack and Microsoft Teams for conversations about the intrusion and incident response.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) stages data in a centralized database prior to exfiltration.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1006", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has created volume shadow copies of virtual domain controller disks to extract the `NTDS.dit` file.(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.002", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) adds a federated identity provider to the victim\u2019s SSO tenant and activates automatic account linking.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1114", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) searched the victim\u2019s Microsoft Exchange for emails about the intrusion and incident response.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has exfiltrated victim data to the MEGA file sharing site.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).(Citation: CrowdStrike Scattered Spider BYOVD January 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged legitimate remote management tools to maintain persistent access.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used Citrix and VPNs to persist in compromised environments.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) Spider enumerates a target organization for files and directories of interest, including source code.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1657", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has deployed ransomware on compromised hosts for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: Trellix Scattered Spider MO August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1589", "showSubtechniques": true}, {"techniqueID": "T1589.001", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) sent phishing messages via SMS to steal credentials.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.008", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) creates inbound rules on the compromised email accounts of security personnel to automatically delete emails from vendor security products.(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1656", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022)\n\n[Scattered Spider](https://attack.mitre.org/groups/G1015) utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) downloaded tools using victim organization systems.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1556", "showSubtechniques": true}, {"techniqueID": "T1556.006", "comment": "After compromising user accounts, [Scattered Spider](https://attack.mitre.org/groups/G1015) registers their own MFA tokens.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.009", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has added additional trusted locations to Azure AD conditional access policies. (Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1578", "showSubtechniques": true}, {"techniqueID": "T1578.002", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used access to the victim's Azure tenant to create Azure VMs.(Citation: Crowdstrike TELCO BPO Campaign December 2022)\n\n[Scattered Spider](https://attack.mitre.org/groups/G1015) has also created Amazon EC2 instances within the victim's environment.(Citation: CISA Scattered Spider Advisory November 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used access to the victim's Azure tenant to create Azure VMs.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1621", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), used RustScan to scan for open ports on targeted ESXi appliances.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has extracted the `NTDS.dit` file by creating volume shadow copies of virtual domain controller disks.(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.006", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) performed domain replication.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.003", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed Azure AD to download bulk lists of group members and their Active Directory attributes.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.004", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1598", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used a combination of credential phishing and social engineering to capture one-time-password (OTP) codes.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598.001", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) sent Telegram messages impersonating IT personnel to harvest credentials.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1598.004", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used phone calls to instruct victims to navigate to credential-harvesting websites.(Citation: Crowdstrike TELCO BPO Campaign December 2022)\n\n[Scattered Spider](https://attack.mitre.org/groups/G1015) has also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.(Citation: MSTIC Octo Tempest Operations October 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used phone calls to instruct victims to navigate to credential-harvesting websites.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1572", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used SSH tunneling in targeted environments.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1219", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) directed victims to run remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022)\n\nIn addition to directing victims to run remote software, Scattered Spider members themselves also deploy RMM software including AnyDesk, LogMeIn, and ConnectWise Control to establish persistence on the compromised network.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: Trellix Scattered Spider MO August 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) directed victims to run remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.007", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.(Citation: Crowdstrike TELCO BPO Campaign December 2022)\n\nScattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.(Citation: CISA Scattered Spider Advisory November 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) can enumerate remote systems, such as VMware vCenter infrastructure.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1539", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) retrieves browser cookies via Raccoon Stealer.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) Spider searches for credential storage documentation on a compromised host.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) enumerate and exfiltrate code-signing certificates from a compromised host.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has impersonated organization IT and helpdesk staff to instruct victims to execute commercial remote access tools to gain initial access.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) leveraged compromised credentials from victim users  to authenticate to Azure tenants.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) downloaded tools from sites including file.io, GitHub, and paste.ee.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used Windows Management Instrumentation (WMI) to move laterally via [Impacket](https://attack.mitre.org/software/S0357).(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Scattered Spider", "color": "#66b1ff"}, {"label": "used by a campaign attributed to Scattered Spider", "color": "#ff6666"}, {"label": "used by Scattered Spider and used by a campaign attributed to Scattered Spider", "color": "#ff66f4"}]}