The M&S Breach: A Wake-Up Call for Teams Still Chasing Malware

When news broke that Marks & Spencer had fallen victim to a ransomware breach linked to DragonForce and the Scattered Spider group, it set off alarm bells across the cybersecurity community. But for those of us who’ve been watching this pattern unfold, it wasn’t a surprise, it was a reminder that most enterprises are still overlooking a glaring hole in their security stacks.

According to Bleeping Computer, the attackers tricked the M&S IT helpdesk into resetting credentials, a classic case of social engineering. They then used SimpleHelp, a legitimate remote management tool (RMM), to deploy ransomware on VMware ESXi hosts. SimpleHelp is one of many legitimate tools increasingly abused in recent attacks. It’s also listed on lolrmm.io, an open-source tracker of RMMs exploited in the wild.

This is the type of pattern defenders need to anticipate and prevent, before ransomware starts.

Instead of reacting to an ever-growing list of malware variants, it’s time to flip the model: stop the predictable abuse of legitimate tools like TeamViewer, AnyDesk, and SimpleHelp that threat actors consistently weaponize after gaining initial access.

What Makes This Attack So Concerning?

This breach wasn’t the result of a zero-day exploit or advanced evasion technique. It was simple:

• Human manipulation of the helpdesk.
• Abuse of trusted software tools already allowed in most environments.

This tactic is known as a Living-off-the-Land (LOTL) attack. It doesn’t rely on malware. It uses the software companies already trust. It doesn’t need custom malware, no zero-days, no clever evasion techniques. Just stolen credentials and tools the company already trusted. Attackers are not bringing anything new, they are using what you’ve already got, because you won’t see it as a threat until it’s too late.

If your stack doesn’t specifically account for LOTL threats, you’re vulnerable, even if you have top-tier EDR, antivirus, or SIEM solutions in place.

The RMM Blind Spot

Recently, we’ve seen a rise in the weaponization of:

• SimpleHelp
• TeamViewer
• AnyDesk
• ScreenConnect
• RemotePC

These tools are designed for support, but in the wrong hands, they’re digital crowbars. If your current stack doesn’t control or monitor their use tightly, your endpoints are exposed.

The Marks & Spencer breach is not an isolated event, it’s a symptom of a broader blind spot in modern cybersecurity. If your organization is still relying on traditional defenses and assuming trusted software is safe by default, you’re overdue for a strategy shift.

We believe the future of endpoint security lies in controlling what’s already on your machine, not just chasing what’s new.

Helping the Broader Cybersecurity Community

Check out portal.magicsword.io/#projects for other projects from our team, including loldrivers.io, used by major cybersecurity vendors to detect abused drivers, a common method attackers use to disable security agents and EDRs. It’s part of our mission to empower defenders and outpace attackers at the infrastructure level.

Is your organization’s application security leaving you exposed?

Here’s a quick assessment to see if application control could strengthen your defenses:

• Unauthorized remote access tools: Are unknown or unapproved RMM tools like TeamViewer, AnyDesk, or SimpleHelp able to run on your systems without detection or blocking?
• Uncontrolled application execution: Can users or attackers run unauthorized executables, scripts, or portable applications that bypass your security controls?
• Living-off-the-land attacks: Are legitimate system tools and applications being misused for malicious purposes without proper monitoring or restrictions?
• Endpoint application visibility: Do you have complete visibility and control over what applications are running across all your endpoints, including workstations and servers?
• Policy enforcement gaps: Are there inconsistent application policies between different system types (endpoints vs. servers vs. virtual infrastructure) that create security blind spots?