Recent Cyber Attacks Targeting Helpdesks
The security of helpdesk systems has recently been thrust into the spotlight after several major UK firms found themselves targeted by the DragonForce ransomware. In these incidents, initial access was achieved through social engineering tactics directed at helpdesk staff, likely orchestrated by the cybercriminal group Scattered Spider, operating between the United States and the United Kingdom.
- Marks & Spencer (April-May 2025): Hackers manipulated M&S’s IT helpdesk to reset employee passwords, granting them access to the company’s systems. They managed to exfiltrate personal customer data. This breach led to the suspension of online orders and in-store pickup services for over three weeks.
- Co-Op Group (May 2025): Following a nearly identical approach, cybercriminals persuaded helpdesk agents to provide system-level access. As a result, contact details of customers and credentials of staff were stolen, causing disruptions and stock shortages across all 2,300 stores.
- Harrods (May 2025): The renowned luxury retailer became the third British company in just two weeks to face a cyberattack. Harrods detected and thwarted unauthorized access attempts—also believed to be linked to Scattered Spider—before any data was compromised.
- MGM Resorts (September 2023): In 2023, Scattered Spider conducted a vishing attack on MGM Resorts’ helpdesk. They tricked agents into disabling two-factor authentication (2FA) for a senior executive, which subsequently triggered a ransomware campaign. This attack crippled networks, slot machines, ATMs, and digital key systems across Las Vegas casinos.
Why Do Hackers Target Helpdesks?
In essence, manipulating an individual is often faster and easier than executing a purely technical attack. Helpdesk teams are trained to resolve issues swiftly and get users back online as quickly as possible. Cybercriminals exploit this by impersonating distressed executives or trusted service providers, leveraging social norms like helpfulness, respect for authority, or avoiding conflict. They employ empathy, urgency, and trust as tools to push helpdesk staff into rushing their responses or bypassing standard procedures. Once they secure initial access, they extend their control or deploy ransomware, escalating the breach quickly.
How Do Social Engineering Attacks Unfold?
- Reconnaissance: Some hackers target helpdesks indiscriminately, while others meticulously research public sources—LinkedIn profiles, press releases, organizational charts, social media—to gain advantage. This preparatory phase helps craft convincing stories.
- Developing the Pretext: Using credible details such as office locations or recent corporate projects, attackers construct plausible scenarios—such as a lost password or MFA authentication issue—to justify their requests.
- The Call: Attackers then make their move, often during high-traffic periods for maximum impact. The Scattered Spider group, for instance, excel at English fluency, often catching companies in the UK and US off guard. Some even incorporate AI tools to mimic authentic voices (vishing), impersonating trusted employees to enhance credibility.
- Creating Urgency and Gaining Trust: At this stage, the attacker pressures the helpdesk agent. They might cite the name of a key client, an executive, or reference an ongoing project to build trust. They then invoke a false sense of urgency—claiming immediate access is critical to business operations—to prompt quick action.
- Bypassing Multi-Factor Authentication (MFA): When asked to verify their identity via MFA, the attacker claims the confirmation was not received—perhaps suggesting the device is lost or malfunctioning. They then request a MFA reset, citing a supposed “manager approval” or urgent internal procedure. Helpdesk staff, worried about delaying critical work, often comply.
- Resetting Credentials and Token Replacement: Following protocol, the helpdesk agent disables the current MFA device and sets up a temporary one. The attacker immediately receives alerts, validates them in real-time, and confirms successful login.
- Initial Access Point: Equipped with valid credentials and an active session, the attacker now has entry into the organization’s environment, setting the stage for further intrusion.
Enhancing Verification to Prevent Breaches or Risking Intrusions
Training sessions and simulated phishing tests help teams stay alert and recognize anomalies in procedures. Implementing the principle of least privilege—restricting default permissions, requiring managerial approval for high-risk actions, isolating helpdesk systems from sensitive databases, and maintaining logs of all steps—further tightens security. However, to truly support helpdesk personnel in every interaction, providing reliable tools for identity verification is essential.
Without strict identity checks, your helpdesk can become an easy entry point for hackers exploiting human trust. Introducing verification layers creates a barrier capable of thwarting even sophisticated social engineering scenarios. Specops Secure Service Desk integrates multi-factor authentication, real-time risk assessment, and customizable control processes—empowering your team to confidently validate identities and block social engineering at the outset.
By applying these verification measures during password resets, permission escalations, or remote sessions, organizations can significantly decrease their human attack surface. Interested in how Secure Service Desk can seamlessly integrate into your environment? Schedule a live demonstration today.
