Emerging Threats

Social Engineering Attacks Target Service Desks

Analyst 207||Source: BleepingComputer
Customer service representative on phone call at retail service desk.

"Compromising a service desk is often easier than compromising the technology it protects." That blunt assessment, repeated in the reporting on a string of 2025 incidents, is the central fact organizations must reckon with.

Scattered Spider’s 2025 UK attacks and related incidents

The 2025 attacks against UK retailers Marks & Spencer (M&S), Co-op, and Harrods, carried out by the hacking collective Scattered Spider, put service-desk social engineering in the headlines. In M&S’s case, Chairman Archie Norman confirmed that attackers impersonated an employee and convinced a third-party service desk agent to reset credentials, providing access to internal systems. The M&S incident was followed by other examples: Carnival Corporation disclosed a cybersecurity incident in which an attacker used social engineering to deceive an employee and gain access to a limited portion of the company's IT environment, and the FBI warned of activity linked to Silent Ransom Group, whose members reportedly posed as IT support personnel and persuaded employees to join remote access sessions using legitimate administration tools.

Reconnaissance to ransomware: the five-stage playbook

The source lays out a clear, repeatable sequence attackers use against service desks:

  • Reconnaissance and setup: Targets are chosen for having decentralized or outsourced IT support—retailers, casinos, airlines were cited—and attackers gather names, roles, and ticketing-system details from LinkedIn, org charts, or data leaks. Spoofing tools such as VoIP are used to mimic internal phone numbers; sometimes SIM-swapped phones or messaging/email spoofing are employed.
  • Impersonation and social engineering: Attackers call or chat the service desk posing as an employee or contractor with urgent needs. Typical pretexts include being locked out before a critical meeting, losing a phone and needing an MFA reset for payroll/email, or claiming an incident requires admin credentials. The callers deliberately sound rushed, use internal slang, or even mention local events to build rapport.
  • Credential reset and MFA bypass: The immediate goal is a password reset, MFA removal or re-registration, or creation of a privileged account. Tactics include spoofing caller ID, using breached HR information to pass verification, calling back as another persona, escalating to a manager, or using SIM swaps to intercept MFA codes.
  • Access and lateral movement: Once authenticated, attackers log in as the impersonated user, seek privilege escalation through misconfigurations or internal tools (examples named include Okta, Citrix, Azure AD), and establish persistence.
  • Ransomware or data theft: Outcomes vary by victim—deploy ransomware (the source cites use of affiliates such as DragonForce in the M&S attack), exfiltrate data for extortion (noted in past Caesars/MGM attacks), or remain stealthy for additional campaigns.

Why help desks remain a high‑leverage target

The reporting highlights four practical reasons service-desk attacks continue to pay off. First, human vulnerability: help-desk staff are trained to assist and may be susceptible to urgent, fluent impersonators. Second, help desks often wield powerful functions—password resets, account provisioning, and MFA changes—that hand attackers legitimate credentials. Third, social engineering bypasses technical defenses: it avoids breaking through firewalls or exploiting unpatched software and instead exploits trust. Fourth, speed and stealth: a convincing call or chat can yield access in minutes and may not trigger alerts when attackers mimic internal processes.

That dynamic is reflected in broader breach statistics cited: Verizon’s Data Breach Investigation Report found stolen credentials are involved in 44.7% of breaches—evidence that attackers prize routes that produce legitimate credentials.

Practical defenses and Specops’ proposed mitigation

The source lists a set of measures organizations can adopt to harden service desks:

  • Require strict identity verification for all password resets, including out‑of‑band confirmation such as a known second contact method.
  • Enforce MFA that cannot be easily reset or transferred without in‑person verification or manager approval.
  • Train service-desk staff to recognize urgent or emotional social-engineering tactics and spoofed internal numbers.
  • Monitor for unusual service-desk activity—repeated resets or MFA removals for high‑privilege accounts—and limit help-desk privileges so agents cannot reset admin or IT user access without escalation.
  • Review outsourced service-desk arrangements regularly and log all credential changes, with alerts for high‑risk users.
  • Conduct phishing and phone/chat-focused social-engineering simulations and tabletop or red-team exercises.

The report also describes a vendor solution: Specops Secure Service Desk, which the piece says "can help mitigate social engineering attacks by adding identity verification to password reset and account unlock requests," using MFA, directory attributes, or custom challenge questions and providing audit trails and granular controls. That description appears in the source as part of a sponsored section.

What this means for technologists, regulators, and procurement leaders

Technologists and security teams will watch verification workflows and help-desk privileges closely and are urged to monitor for repeated resets and MFA removals for high‑privilege accounts. Regulators and compliance officers must consider whether current rules adequately constrain outsourced service-desk practices, verification standards, and escalation requirements. Procurement leaders should require documented verification procedures, escalation paths, and evidence of red-team testing from third-party service-desk providers.

The record in these incidents is straightforward: attackers find it easier to exploit people than to defeat hardened systems. The immediate test for organizations is operational: tighten verification, limit help-desk powers, and test whether those changes actually stop the rapid impersonation techniques that Scattered Spider and others exploited. Will firms accept the friction those controls introduce at the front line? That remains the practical question left by the cases described.

Original story

Emerging ThreatsNation-StateScattered SpiderSocial EngineeringSupply ChainThird-Party RiskUkMfa BypassCompromised CredentialsService Desk
Related Intelligence

Continue Reading

Law enforcement officers in a cybersecurity operation room surrounded by computer screens and network equipment.

Europol Operation Disrupts StealC and Amadey Infostealers

In a major win for cybersecurity, a coordinated international effort has dismantled the operations of two notorious malware families, StealC and Amadey, freezing a whopping €41m in crypto assets of criminal origin. This significant disruption was made possible through the collaboration of Europol, Germany's Federal Criminal Police Office, J-CAT, and Eurojust.

Analyst 207
Law enforcement officials from various agencies gather in a briefing room for a collaborative operation.

Microsoft-Led Operation Disrupts Amadey, StealC Malware Networks

In a major win for cybersecurity, a Microsoft-led operation has successfully disrupted the networks behind Amadey and StealC malware, significantly increasing friction for cybercriminals and making it harder for attacks to succeed. This collaborative effort between law enforcement and private sector partners marks a crucial step forward in the fight against cybercrime.

Analyst 207
Ubiquiti UniFi OS device in a small business office setting with ambient daylight.

CISA Warns of Actively Exploited Ubiquiti Flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that hackers are actively exploiting security flaws in Ubiquiti UniFi OS devices, posing a significant threat to system security. Federal agencies have just three days to apply crucial updates or recommended fixes to avoid potential breaches.

Analyst 207
Dimly lit workspace with scattered notes and empty coffee cups, hinting at unease.

Cordyceps Flaws Compromise 300+ GitHub Repositories

A newly discovered flaw, dubbed Cordyceps, has left over 300 GitHub repositories vulnerable to exploitation by unauthenticated users, allowing for code execution, credential theft, and supply-chain compromise. This critical weakness can be easily exploited, putting countless open-source projects at risk.

Analyst 207