Attacks linked to Scattered Spider and Silent Ransom Group have shown how attackers keep bypassing technical defenses by persuading service desk teams to reset credentials and move access through trusted channels—an approach that remains alarmingly effective d
For service desk staff, the call is supposed to be routine: someone can’t log in, an urgent deadline is approaching, and the job is to fix it fast.
In 2025, that routine became the route into major systems. Scattered Spider used social engineering to impersonate an employee and convince a third-party service desk agent to reset credentials. letting attackers reach internal systems at Marks & Spencer (M&S). Chairman Archie Norman confirmed the details.
That same pattern—someone trusted, someone pushing for speed—also showed up when Carnival Corporation disclosed a cybersecurity incident in which an attacker used social engineering to deceive an employee and gain access to a limited portion of the company’s IT environment.
Around the same time, the FBI warned organizations about activity linked to threat actor Silent Ransom Group. The warning described members reportedly posing as IT support personnel and persuading employees to join remote access sessions using legitimate administration tools.
The cases were high-profile, but the tactic isn’t rare. Even with stronger regulation. increased awareness. and a number of high-profile arrests. attackers keep showing up at the same kind of front line. The lesson is blunt: compromising a service desk is often easier than compromising the technology it protects.
So why do attackers target service desks?
They don’t need to fight firewalls or exploit unpatched software when they can convince people. Help desk staff are primarily trained to help, even when they’ve received some training about social-engineering attacks. That combination can leave them vulnerable to impersonation attempts—particularly when attackers sound fluent, urgent, and knowledgeable.
There’s also the leverage. Service desk agents typically have the ability to reset passwords, provision accounts, or disable multi-factor authentication. In practice, that means a social engineering call can create a direct path to legitimate access.
Speed matters, too. A well-crafted call or chat can yield access in minutes, often without triggering security alerts—especially when attackers mimic internal processes or spoof internal numbers.
Put together, it becomes the most efficient route for attackers like Scattered Spider to escalate privileges and blend in as an insider.
A service desk attack usually starts with reconnaissance. Attackers identify large companies with decentralized or outsourced IT support—retailers, casinos, airlines, and similar environments. They gather information using LinkedIn. company org charts. or data leaks to learn employee names. roles. and ticketing systems such as ServiceNow.
Then comes the setup. Attackers use tools to spoof internal phone numbers. VoIP services can mimic internal numbers, and some operations involve SIM-swapped phones or Slack/email spoofing.
Once they’re on the line, the impersonation becomes the main event. The approach is simple: call or chat the service desk pretending to be a real employee or contractor needing urgent help.
Common pretexts pull at real work pressures—“I’m locked out of my account before a critical meeting.” “My phone was lost; I need my MFA reset to access payroll/email.” “We’re having an incident and I need admin credentials to help resolve it.”
The delivery is designed to keep the agent moving. The tone is friendly, rushed, or slightly stressed to pressure the support agent. Attackers may use internal slang or specific references. such as asking the agent to “go into Okta and push through a reset like you did last week for Mike in Ops.” Some even mention topical local events. even commenting on the weather. to build rapport and reduce suspicion.
The next step is where the damage turns concrete. The goal is to trick the help desk into resetting the password on a real user’s account, removing or re-registering multi-factor authentication, or creating a new account with privileged access.
If verification fails, attackers may call again as someone else or escalate the request—asking, for example, “Can I speak to your manager?”. They can also use SIM-swapped phones to intercept MFA codes or request they be sent to a new device.
With access in hand. the attacker can log in as the impersonated employee and then look for ways to elevate privileges—through group policy misconfigurations. ticketing systems. or internal tools including Okta. Citrix. and Azure AD. From there, attackers may deploy malware, exfiltrate data, or set up persistence such as backdoors and rogue accounts.
For some targets, ransomware comes next. The M&S attack is described as involving deployment of ransomware via an affiliate like DragonForce. For others. the focus can shift toward extortion—exfiltrating sensitive data. as in the Caesars/MGM attacks—while maintaining stealth. especially when targeting multiple organizations in the same sector.
The pattern becomes harder to ignore when you look at the numbers. Verizon’s Data Breach Investigation Report found stolen credentials are involved in 44.7% of breaches.
Defense has a simple shape, even if it’s difficult to implement under pressure. Organizations are urged to require strict identity verification for all password resets. including out-of-band confirmation using a known second contact method. MFA needs to be enforced in a way that can’t be easily reset or transferred without in-person verification or manager approval.
Service desk teams also need training that goes beyond general awareness—especially for urgent or emotional requests and spoofed internal numbers. Systems should monitor for unusual service desk activity, including repeated password resets or MFA removals for high-privilege accounts. Help desk privileges should be limited so agents cannot reset access for admin or IT users without escalation.
Outsourced service desk arrangements require regular review. with verification procedures. escalation paths. and approval workflows clearly documented and tested through tabletop or red team exercises. Role-based access control should be used, credential changes should be logged, and alerts should flag high-risk users.
Even simulations play a role. Regular phishing and social engineering exercises—focused specifically on phone and chat-based attacks—can help harden the front line.
And the threat doesn’t just target the software layer. It targets trust.
Specops Secure Service Desk is marketed as a way to mitigate social engineering attacks by adding identity verification to password reset and account unlock requests. It describes caller verification using MFA, directory attributes, or custom challenge questions before any action is taken. The product also says it provides audit trails and granular controls over account recovery actions. aiming to reduce the risk of impersonation and unauthorized access.
The pitch, in the end, is about the same reality the cases made unavoidable: if attackers can reliably reach the service desk, they can often reach everything behind it.
service desk social engineering Scattered Spider Silent Ransom Group Marks & Spencer Archie Norman Carnival Corporation cybersecurity incident FBI warning stolen credentials MFA password resets IT support impersonation Verizon DBIR Specops Secure Service Desk