The Help Desk as an Attack Surface: Fixing MFA Reset Abuse Before the Next Breach

Security In Practice | CyOps Consulting Team

One phone call. A convincing persona. Roughly 10 minutes. The result was domain administrator access to MGM Resorts' environment, with no malware, no exploit, and no technical sophistication required. The $100M+ documented impact followed from that single help desk interaction.

What happened next across Marks & Spencer in April 2025, where a ransomware attack attributed to a Scattered Spider copycat group caused confirmed operational disruption, and subsequently at Co-op, Harrods, and targets in US insurance and aviation sectors, was not a series of isolated incidents. It was a pattern: same technique, different targets, same outcome.

According to Unit 42's Global IR Report published in August 2025, social engineering was the leading initial access vector across IR cases from May 2024 to May 2025, accounting for 36% of incidents, making it the most consequential entry point the industry is currently failing to close.

Public reporting on these incidents has been extensive. Operational redesign has been limited.

This analysis focuses on three areas often treated as secondary in published guidance: verification protocol design, help desk telemetry integration, and simulation fidelity. Understanding why the attack continues to succeed requires examining the organizational architecture that enables it rather than focusing solely on the actors.

Where Current Thinking Breaks

When a help desk agent is successfully social engineered, organizations frequently respond with additional awareness training. This assumes that insufficient vigilance at the individual level is the primary failure point.

Incident reporting does not support that conclusion.

Across cases reflected in the July 2025 CISA advisory and Mandiant’s tracking of UNC3944, agents in many instances appear to have followed established procedures. The procedures allowed the reset. The primary gap was structural rather than behavioral. That distinction materially affects remediation strategy.

The underlying kill chain is sequential and discrete: exploitable help desk policy enables verification failure; verification failure enables account takeover; account takeover enables lateral movement. Training may influence behavior at the first stage, but it does not redesign policy, generate telemetry to detect anomalous reset patterns, or restrict what agents are authorized to approve. Concentrating remediation effort on training while leaving these controls unchanged creates a mismatch between intervention and exposure.

The mechanism that sustains this mismatch is largely operational. Increased verification friction generates complaints, particularly from senior stakeholders, and informal exception handling often fills the gap. These exceptions are frequently undocumented and unaudited. No authoritative body has published a privilege-tiered verification standard in an operationally deployable form for help desk environments. Existing guidance remains high level.

One of the most consistently exploited weaknesses is the executive exception. Agents are conditioned to defer to perceived seniority. Attackers construct credible personas supported by internal detail that activates this response, a tactic documented across Scattered Spider reporting. This dynamic reflects uniform verification procedures applied across accounts with significantly different privilege exposure.

Three structural failure modes sustain this pattern: gaps in verification protocol design, lack of help desk telemetry integration, and unrealistic simulation practices. Each requires a different corrective lever.

Three Failure Modes

Gap 1: Verification Protocols Are Risk-Flat

Most enterprise verification procedures treat help desk requests as equivalent risk events. An agent processing a password reset for a junior analyst often follows the same checklist used for an MFA deactivation request involving a domain administrator. The checklist typically relies on static knowledge factors such as employee ID, date of birth, or partial Social Security number. Incident response reporting indicates that this information is frequently accessible through breach databases and open-source reconnaissance before the call is placed.

The verification control is uniform; the privilege exposure it protects against is not. That mismatch is the first structural failure.

The reason it persists is partly operational and partly political. Differentiated verification, applying higher friction to higher-privilege requests, generates escalations, and agents learn quickly that pushing back on a caller presenting as a senior executive carries professional risk. The result, documented across post-incident analysis of cases tracked in the CISA Scattered Spider advisory and Mandiant's UNC3944 reporting, is an informal exception culture: undocumented, unaudited, and ungoverned.

Coverage that recommends video verification as a fix is directionally correct but operationally incomplete. Without specifying which account tiers require it, who can authorise non-compliance, and what fallback procedure governs a caller who claims they cannot comply, naming the control is not the same as designing it.

Gap 2: Help Desk Telemetry Is Not Integrated into Detection Workflows

Security operations teams routinely ingest endpoint telemetry, network logs, and identity events into SIEM platforms. Help desk systems such as ServiceNow, Zendesk, and Freshservice are frequently excluded from these ingestion pipelines. As a result, the event sequence that constitutes a completed attack is not evaluated holistically.

The sequence typically includes a password reset, followed by MFA deactivation, followed by new device enrollment from an unrecognised geography. Each action is operationally common. The combination, particularly when involving a privileged account, is not. Without correlation logic spanning help desk and identity systems, the sequence remains undetected.

Unit 42’s August 2025 Global IR Report documents a case in which an attacker progressed from an initial help desk interaction to domain administrator access in under forty minutes with no detection during that interval. Obsidian Security’s November 2025 analysis observed that dwell time increases by up to 80% when sessions are not revoked post-compromise, because neither the victim nor the SOC identifies the intrusion until natural session expiry.

This gap is often framed as a tooling gap. It is primarily a correlation logic gap. The underlying data exists in most environments; the detection rules do not. The threshold for flagging an anomalous reset-to-enrollment sequence should not be an arbitrary default. Practitioners should establish it by pulling IAM log data and determining what a normal interval looks like in their own environment. A baseline-derived threshold will produce actionable signal; a generic one will produce noise.

Gap 3: Help Desk Drills Do Not Reflect Realistic Attacker Behavior

Security awareness programmes commonly simulate phishing campaigns and occasionally conduct general vishing exercises against broad staff populations. Documented incident post-mortems provide little evidence that help desk agents were previously exposed to realistic simulations of the specific attacker approach used in these cases.

The documented technique includes multi-day reconnaissance using public sources, scripted dialogue incorporating internal process terminology, and a plausible personal scenario such as a lost device, active travel, or urgent operational disruption. The attacker frequently impersonates a senior executive or IT leader whose identity the agent has limited means to verify.

The training gap is not the absence of threat awareness. It is the absence of procedural conditioning under realistic pressure. Agents must be able to apply verification requirements consistently when interacting with a fluent and well-prepared caller who introduces urgency and authority cues.

A high-fidelity simulation should follow documented attacker methodology observed in Scattered Spider cases. Pre-call reconnaissance should be conducted using only publicly available information, including organisational structure from LinkedIn, recent executive activity from company communications, and internal tool references drawn from job postings. The simulation script should incorporate several accurate internal details to mirror real attacker preparation.

During the call, the scenario should include authority impersonation and time pressure. Presenting as a CFO, senior engineering leader, or IT executive introduces verification complexity. Introducing urgency such as an upcoming board meeting or an active outage tests whether process controls withstand operational stress.

The critical output of such a simulation is documentation of the specific control breakdown. A bypassed callback, an unlogged exception, or a privileged reset processed without required co-authorisation each correspond to a discrete policy weakness. Without controlled testing, these weaknesses may remain theoretical.

Simulations require more coordination and oversight than phishing campaigns. They involve scripting, role assignment, and careful scoping to avoid triggering actual incident response procedures. Simulation should not substitute for process redesign. Improving agent familiarity with threat patterns does not resolve structural weaknesses in verification policy. Both simulation and protocol redesign are necessary to reduce exposure.

Tactical and Programmatic Adjustments

Identifying the failure modes clarifies where intervention must occur.

Immediate Actions

The immediate priority is determining whether the exposure observed in documented Scattered Spider incidents exists within your environment.

Begin by auditing current MFA reset and password change procedures to identify whether verification requirements vary by account privilege level. If no differentiation exists, then domain administrator accounts and standard employee accounts are protected by identical controls. That condition aligns directly with the documented attack pattern.

Next, formally define the executive exception. Specify who is authorised to approve it, under what circumstances it applies, and what documentation is required. Removing discretionary exception handling from individual agents reduces the most consistently exploited weakness observed in incident reporting.

Finally, review at least one week of MFA reset and new device enrollment logs. Manually assess whether the sequence of password reset, MFA deactivation, and new device enrollment from an unrecognised geography has occurred, particularly for privileged accounts. Any such instance warrants validation. If the sequence has occurred without investigation, compromise may have gone undetected.

Near-Term Work This Quarter

The next step is translating audit findings into enforceable structural controls.

Develop a privilege-tiered verification framework with at least two defined levels. Standard accounts should require a knowledge factor combined with a callback to a registered number. Privileged accounts should require additional controls such as video verification, manager co-authorisation, and a defined hold period for high-risk resets. A mandatory hold period for privileged account resets removes the time window that enables rapid escalation.

In parallel, implement SIEM or SOAR detection logic designed to identify the reset-to-enrollment sequence for privileged accounts. Focus initial tuning on high-privilege users to reduce alert volume while establishing baseline behaviour. Detection thresholds for the interval between reset and enrollment should be derived from internal IAM data rather than default vendor configurations. Environment-specific baselining improves signal quality and reduces false positives.

Before the end of the quarter, conduct at least one realistic help desk vishing simulation aligned to documented attacker tactics. The objective is to identify process weaknesses rather than evaluate individual performance. If the simulation reveals a verification bypass, the protocol requires redesign. If it reveals hesitation or inconsistency under pressure, additional procedural reinforcement may be necessary.

Structural Work Six to Twelve Months

Longer-term effort should focus on institutionalising the controls introduced during the near-term phase.

Integrate help desk platform logs into the SIEM as a formal telemetry source. Correlation logic should account for account privilege tier so that high-risk sequences involving privileged accounts are prioritised. Without ingestion of help desk-originated events, detection rules will operate on incomplete data.

Establish a formal exception governance process that requires documented manager approval for all privileged MFA reset exceptions. Even a simple maintained log with a defined approval chain provides auditability and enables post-incident review. Informal exception handling does not.

Implement a recurring vishing simulation programme with scenarios updated to reflect current tactics described in CISA advisories, Unit 42 reporting, and FBI or similar agency alerts. Repetition reinforces procedural consistency and allows measurement of control effectiveness over time.

Two operational constraints should be addressed during planning. Privilege-tiered verification will increase handle time, and this impact should be measured and discussed with help desk leadership as a risk management decision. Detection tuning for help desk events requires initial analytical effort and should remain scoped to privileged accounts until baseline behaviour is well understood. Clear acknowledgement of these trade-offs improves programme sustainability.

MSP-Specific Downstream Risk

The controls described above apply to any organisation managing privileged access. The risk profile changes significantly when those privileges extend across multiple client environments.

In managed service provider environments, a help desk agent with cross-tenant privileged access represents a concentration of downstream exposure. A successful social engineering incident affecting that account may enable compromise across every client environment accessible through those credentials. The attack sequence described in the CISA Scattered Spider advisory aligns directly with this operational model. Unit 42’s August 2025 reporting identifies MSPs as an active expansion target for this technique.

For MSPs, privilege-tiered verification and integrated detection controls are not enhancements. They are foundational risk controls proportional to the scale of potential downstream impact.

Decision Framework and Forward Risk Signal

The first test for any privileged account reset procedure is straightforward: can the organisation demonstrate that it verified the identity of the authorised account holder before approving the reset? If the answer cannot be supported with evidence, the verification protocol is insufficient regardless of what policy documentation states.

Verification requirements should scale according to the potential impact of account compromise. The blast radius of a domain administrator account is materially different from that of a standard employee account. If both are subject to identical reset controls, the organisation has accepted disproportionate risk without explicit acknowledgement.

Incident reporting from Unit 42 and the CISA Scattered Spider advisory indicates that process redesign and detection integration reduce exposure more effectively than repeated awareness training cycles alone. Training may improve familiarity with threat patterns, but it does not remove the burden of high-risk decision making from individual agents. Structural controls, including tiered verification and enforced hold periods, reduce reliance on discretionary judgement in high-pressure scenarios.

The threat landscape is not static. Unit 42’s Report documents adoption of this social engineering technique by state-aligned actors including Iran’s Agent Serpens. Mid-2025 threat intelligence reporting also attributes similar methodology to North Korea-linked groups, indicating expansion rather than decline. Targeting has broadened to include aviation, insurance, and managed service provider sectors.

Monitoring efforts should prioritise updates from CISA advisories, Unit 42 and Mandiant incident reporting, and FBI or similar agency alerts. The focus should remain on procedural evolution rather than actor attribution. Changes in verification bypass techniques or reset sequencing will have greater operational significance than the identity of the group employing them.

One potential development warrants observation but not immediate control redesign. Advances in AI-assisted voice spoofing may eventually reduce the reconnaissance effort required to construct credible executive impersonation. Current threat intelligence does not establish confirmed operational prevalence. Control design should remain grounded in documented technique rather than speculative capability.

The controls described in this article, including privilege-tiered verification, help desk telemetry integration, and realistic simulation, are achievable using existing enterprise tooling. The primary barrier is governance discipline and prioritisation. Organisations that treat help desk verification as a high-risk security control rather than a customer service workflow will reduce the likelihood of rapid privilege escalation through social engineering.

Brought to by the CyOps Consulting Team. Discover our most recent publication.

In Short

• The vulnerability is in policy, not people.
  Post-incident analysis of Scattered Spider cases, reflected in the CISA advisory updated July 2025 and Mandiant’s reporting on UNC3944, shows that agents in documented breaches largely followed existing procedures. The procedures allowed the reset. Directing remediation spend toward additional awareness training while leaving verification policy unchanged addresses the wrong failure point.

• The attack sequence is detectable, but the correlation logic is often absent.
  Help desk platforms such as ServiceNow, Zendesk, and Freshservice are not consistently integrated into SOC detection workflows. The sequence of password reset, MFA deactivation, and new device enrollment from an unrecognized geography is individually routine but collectively anomalous. Unit 42’s August 2025 Global Incident Response Report documents domain administrator access achieved in under forty minutes from a single call, with no detection during that window. The relevant data was present. The detection rules were not.

• A mandatory hold period on privileged resets removes the attacker’s speed advantage.
  The forty-minute domain administrator compromise documented in 2025 IR reporting depended on immediate execution. A defined hold period on high-privilege MFA resets removes that window without requiring new tooling. Combined with privilege-tiered verification, including video confirmation and manager co-authorization for privileged accounts, this represents a high-leverage structural control within existing enterprise infrastructure.

• The technique is spreading, and MSP environments amplify downstream risk.
  2025 incident response reporting attributes adoption to state-aligned actors including Iran’s Agent Serpens and North Korea-linked groups. In a managed service provider environment, a single successful social engineering call can enable compromise across multiple client tenants, depending on account privilege. Exception culture in this context creates multi-client exposure rather than a contained governance issue.