Okta

Microsoft announced general availability of a unified Microsoft Defender for Identity sensor that correlates identity and endpoint telemetry across on‑premises Active Directory, Microsoft Entra ID, and even third‑party identity providers (e.g., Okta), improving incident correlation and enabling automatic attack disruption with richer identity context. The post also signals migration guidance for existing customers in the coming months. Microsoft Security Blog, 2025‑10‑23.

Why this matters to DFIR: identity evidence that used to be scattered (AD security events, Entra sign‑ins, endpoint logons) is now designed to land in one incident and one hunting surface (Defender XDR), with contain/disable actions tied directly to identity context. That reduces dwell time and speeds attribution and scoping. Microsoft Security Blog.

Unit 42’s 5‑minute read on October 20, 2025 documents three notable shifts tied to Scattered LAPSUS$ Hunters (SLSH): a formal push toward extortion‑as‑a‑service (EaaS), renewed insider recruitment, and chatter about a new ransomware brand, “SHINYSP1D3R.” Their guidance: build playbooks that handle data‑theft extortion the way many of us handle encryption‑driven ransomware today—verification, negotiation posture, and reputation impact included (Unit 42, Oct 20, 2025). (unit42.paloaltonetworks.com)

What changed in early October 2025

• EaaS advertisement (no encryption): On Oct 10, SLSH promoted an EaaS program analogous to RaaS but explicitly “no file encryption”—consistent with attempts to avoid law‑enforcement heat focused on encrypting crews (Unit 42). (unit42.paloaltonetworks.com)
• Insider recruitment redux: On Oct 5, SLSH solicited insiders, prioritizing call centers, gaming, hosting, SaaS, and telecom in the U.S., UK, AU, CA, and FR—also noted by ReliaQuest activity on X (Unit 42). (unit42.paloaltonetworks.com)
• “SHINYSP1D3R” claims: On Oct 4, the actors teased a ransomware effort; Unit 42 emphasizes it’s unclear whether development is real vs. psyops, though separate intel shops have tracked similar chatter since August (Unit 42; FalconFeeds reference via Unit 42; EclecticIQ analysis of ShinyHunters links and RaaS development). (unit42.paloaltonetworks.com)

Context: Unit 42’s earlier Oct 10 brief connects “Scattered LAPSUS$ Hunters” to a coalition of Bling Libra (ShinyHunters), Muddled Libra (Scattered Spider/UNC3944), and LAPSUS$—sometimes dubbed a “Trinity” within a broader e‑crime social milieu known as “The Com” (Unit 42, Oct 10). (unit42.paloaltonetworks.com)