🟡 Medium | Source: The Hacker News
US prosecutors have used a persistent Windows device ID to link an alleged Scattered Spider member to a cyberattack on a luxury jewellery retailer in May 2025. Microsoft records tied the device ID to both the attacker’s persistence account during the intrusion and to personal online accounts belonging to 19-year-old suspect Peter Stokes. The case highlights how hardware and software identifiers retained by cloud and identity providers can become powerful forensic artefacts in cybercrime investigations.
Security Architect’s Take: Review your organisation’s logging strategy to ensure Windows device IDs, Entra ID (Azure AD) device registration records, and associated sign-in logs are retained and correlated — these artefacts can be pivotal for both threat hunting and incident response. Also ensure conditional access policies flag or block unregistered or anomalous devices attempting to maintain persistence via legitimate identity providers.
Original advisory: Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker