New Identity Battleground: Attackers Don’t Need to Break MFA, they Just Need a Help Desk
Published
Question: Why are enterprise help desks becoming one of the easiest entry points for attackers despite organizations investing heavily in identity security controls?
Aaron Painter, CEO at Nametag
Help desks sit at the intersection of people, process, and privilege. And targeting these entry points has become widely popular in the cybercriminal sphere since attacks like the Mark & Spencer (M&S) and Co-op attack; some of the recent bigger attacks of their kind.
Scattered Spider, the group behind the breach, has now built their whole playbook around IT help desk/workforce impersonation, crippling operations for days and costing victims hundreds of millions in damages and lost revenue.
On paper, this tactic seems elementary. Haven’t we mastered this yet?
- Organizations have widely adopted MFA, 2FA and anti-phishing tools.
- They’ve invested heavily in identity security platforms and have strengthened authentication controls across the workforce.
- So why is this technique so successful?
The answer is that attackers have expanded beyond trying to breach identity systems directly. In some cases, they still are.
Vulnerabilities and misconfigurations will always create opportunities for opportunistic hackers. But groups like Scattered Spider have recognized something much easier to exploit. Instead of attacking the technology itself, they target the weak operational processes surrounding it.
The help desk and account recovery process are a prime example of this challenge, because the situations themselves are often urgent and messy:
- a device is lost,
- an MFA reset is needed,
- a contractor calls from an unfamiliar number, or
- an executive is traveling and suddenly locked out of critical systems.
- In each case, the service desk agent is being asked to make a high-impact identity decision under pressure, often with incomplete context and limited ways to confidently verify who is actually behind the request.
The reality is that if an attacker can convincingly impersonate a legitimate employee long enough to get through a recovery workflow, they do not need to defeat MFA at all. The organization will effectively disable it for them.
And being “convincing” is no longer much of a barrier; while sophisticated social engineering campaigns once required significant research and effort, AI-generated voices, deepfake technology, and stolen personal information now allow attackers to impersonate employees with far less work.
At the same time, the enterprise help desk has become more operationally critical than ever before, and platforms like ServiceNow now sit at the center of enterprise workflows.
I attended ServiceNow Knowledge a couple weeks ago, and that reality was evident in conversation after conversation. People kept coming up to our booth asking the same question:
“How do I know who is actually contacting my help desk?” Not as a theoretical concern, but as a response to real social engineering incidents and fraud takeovers making it through existing processes.
I applaud organizations like ServiceNow that are helping push this conversation forward because it is forcing enterprises to rethink identity verification inside these workflows.
For years, identity trust within the help desk has largely been inherited from upstream identity providers. That model worked for a while, but it was just a band-aid on a bullet hole.
Recovery workflows, escalations, and exception handling all create openings where human judgment becomes the security control. Attackers understand that, and they are exploiting it aggressively.
Ultimately, organizations are realizing that the help desk is no longer just a support function operating alongside security. It has become one of the most important identity decision points in the enterprise.
Related
