The company help desk is also a threat vector

Your help desk is meant to solve problems—not create them. Yet, as attackers have become more skilled in social engineering, they’ve increasingly turned the help desk into a powerful entry point for cyberattacks.

Unless you’re talking about malicious insiders or employee mistakes, it is counterintuitive to think of the help desk as a threat vector. After all, it is the tech support team we’re talking about. These employees are IT professionals who are trained in company policies and have at least a basic knowledge of cybersecurity. Not all employees get the proper onboarding, but your IT team would at least know better than to let a threat actor have a password or elevated privileges.

And if a threat actor is trying to sneak into a company network, wouldn’t he want to avoid the IT team? They are the people most likely to catch him. Isn’t that the whole point of attack chains that use stealth and evasion and living off the land (LotL) techniques?

It seems that way, but let's take a closer look:

• Help desks have access to valuable resources. These technicians can reset passwords, reset or disable multifactor authentication (MFA), change user privileges, view user and system details, and more. The help desk is a treasure chest for a threat actor, so they’ll keep developing and trying novel exploits.
• Help desks are often the starting point for IT and cybersecurity professionals. There may be experts on staff, but this is where a lot of networking and security graduates will enter the industry. They might not have enough experience, company and network knowledge, or self-confidence to recognize and properly respond to suspicious activity. For some of them, the help desk is their first experience in a fast-paced environment with an imperfect network. 
• Help desks are often understaffed and overburdened. The demand for security professionals continues to grow, especially now that threat actors have weaponized artificial intelligence (AI) in their attacks. The industry is already shorthanded, which means one person may do the work of 1.5–2 full-time employees. This can be exhausting, especially if the help desk is also handling a lot of false-positive alerts.

With that in mind, the help desk seems like an obvious vector. In the hands of a skilled threat actor, the help desk can deliver the company’s most valuable assets.

Help desk attacks

To illustrate how these attacks work, we will look at four tactics and incidents, starting with Twitter SIM swaps in 2019. Threat actors used social engineering to trick mobile carrier help desks into performing SIM swaps from the victims to the attackers. 'SIM swap' just means the mobile carrier transferred the phone number from the victims’ SIM cards to SIM cards in phones owned by the attackers. This gave the attackers access to multifactor authentication codes and other needed to take control of Twitter accounts and cryptocurrency wallets.

This is a common attack on high-profile people like celebrities and influencers, especially those who use cryptocurrency. Brian Krebs has more on these attacks and the aftermath.

The LAPSUS$ group made headlines throughout 2021-2022 with its successful internal help desk impersonation attacks against major organizations including Microsoft, Nvidia, Samsung, and Okta. The group prepared for the attacks by scouring public sources, social media and data breaches made available through the dark web. LAPSUS$ members then contacted company help desks and posed as employees who needed urgent assistance with credentials or devices. These scams often used vishing (voice phishing) or direct messages to bolster their credibility.

LAPSUS$ also used help desk impersonation to support other scams. A common technique is to spam employees with repeated multifactor authentication (MFA) requests and follow up with a call to encourage the employee to approve the authentication. LAPSUS$ also engages in smishing (SMS phishing), spear-phishing and SIM swapping to intercept communications and authentication codes. The group also pursued insider recruitment, offering compensation for privileged access or escalation. These combined tactics enabled them to breach sensitive environments and launch ransomware and other attacks. Many times, the group’s success could be attributed to studying the target and harassing staffers until they finally made a mistake.  

In 2022 the 0ktapus threat group used both smishing and vishing to compromise Twilio, a cloud communications provider. This was a sophisticated and multistage social engineering attack. Here’s the timeline:

• June 29, 2022: 0ktapus threat actors impersonate the IT team in vishing attacks on Twilio employees. A caller convinces an employee to provide working credentials, which leads to approximately 12 hours of unauthorized access to customer contact data.
• Mid-July 2022: Attackers launch a smishing campaign that bombs current and former Twilio employees with fake alerts and malicious password reset links. Some of these attacks are successful and threat actors gain access to the Twilio network and customer data.
• August 4-9, 2022: Twilio becomes aware of the network intrusion and data breach and begins a response, though 0ktapus threat actors maintain access for two more days following detection. As part of the response, Twilio works with carriers and hosting providers to shut down the smishing and credential theft infrastructure.
• August–October 2022: Twilio investigates alongside forensic partners and updates its earlier incident report.

"Our investigation also led us to conclude that the same malicious actors likely were responsible for a brief security incident that occurred on June 29, 2022. In the June incident, a Twilio employee was socially engineered through voice phishing (or ‘vishing’) to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers." ~ Twilio Incident Report, August 7, 2022

The Scattered Spider threat group used vishing attacks to infiltrate MGM Resorts in September 2023. Here, callers used LinkedIn to identify an MGM employee and then impersonated that individual in a call to the company’s help desk. The caller claimed to be locked out of the system and asked for help in restoring access. Unfortunately, this worked, and the attackers gained privileged access to the company’s Okta and Azure AD environments. This gave Scattered Spider unfettered access to MGM’s identity and access management systems. They could manage user accounts, disable security controls, and grant themselves access to anything integrated with the compromised platforms.

Once initial access was achieved by Scattered Spider, the ALPHV ransomware group launched its attack on the company. As of late 2023, the attack cost MGM an estimated $100 million in lost revenue, consulting and legal fees, and other expenses related to recovery, security upgrades and compliance issues.

Why these attacks work

We’ve seen that threat actors are willing to pick up the phone and impersonate either a help desk staffer or an employee who needs help desk assistance. These threat actors are “callers” who specialize in vishing and other social engineering techniques. They are skilled in impersonation and improvisational conversation, and they have often prepared for a call by writing a script or collecting details on the target. They are often young English speakers based in England and the United States, and many have been affiliated with a group known as “The Com.” This is a loosely organized community of teenagers and young adults who begin participating in these activities for notoriety, and then continue a ‘career’ in cybercrime for the money. Groups like Scattered Spider (UNC3944), LAPSUS$, 0ktapus, Star Fraud, Octo Tempest, and Scatter Swine have all emerged from The Com. Full transparency here, some of those names are aliases for a single group, and some of these groups share members. Since these threat actors came up through The Com, they learned to work in loosely organized groups that use many of the same techniques. This can make attack attribution challenging, but law enforcement has had considerable success against these Western-based threat actors.

• Feds Charge Five Men in ‘Scattered Spider’ Roundup
• UK Arrests Four in ‘Scattered Spider’ Ransom Group
• FBI Exposes The Com’s Criminal Activities and Involvement of Minors

The help desk isn’t just vulnerable because these threat actors are good at what they do. There just aren’t enough companies with controls in place to protect the employees from these attacks. Whether the attacker is impersonating the help desk or impersonating a non-help desk employee, the attack can be stopped with proper security controls.

Defending your company from help desk attacks

Like any other type of cybersecurity, there are multiple layers of defense that can be deployed. Here are some of the most accessible best practices:

Strict user verification procedures: Require multi-factor authentication and detailed verification before processing sensitive requests (such as password resets or access changes). Enforce policies that prohibit disclosure or reset of credentials without multi-step identity validation. You can use callback protocols, internal phonebooks, internal ticket links, and identity challenge questions.

Access controls and segmentation: Limit help desk access to sensitive systems and data based on the principle of least privilege. Segregate duties so that no single staff member can unilaterally approve and initiate high-risk actions. Use out-of-band confirmation like a second phone call to a verified number before performing an account recovery or privilege escalation.

Audit trails and monitoring: Log all help desk activities, especially those involving sensitive changes or credential access, and proactively monitor for patterns that may indicate abuse, such as repeated password resets or fast-moving access escalations.

Regularly review and update security policies: Conduct regularly scheduled assessments of help desk procedures against the latest industry threats and update protocols as needed. Use threat intelligence on emerging tactics alongside data from help desk logs and other internal sources to inform new policies.  

Ongoing security training: Regularly train employees to recognize phishing, vishing, and social engineering tactics, and raise awareness of deepfake attacks. Use simulated attack scenarios to build familiarity and resilience. Empower staff to report suspected social engineering attempts or anomalous requests immediately, with clear escalation and response protocols for unusual activity.

You should also consider using phishing-resistant MFA, like FIDO2 keys or app-based authentication. This will limit the effectiveness of SIM swaps and social engineering attacks.

Even the smallest IT teams can put some of these controls in place. If you only have one IT staffer, you can still use verification protocols and require an extra layer of approval for high-risk requests. A simple ticket system can create audit trails, and a regular review of security policies and procedures should already be in place. It isn’t easy to establish and enforce good help desk security, but it is becoming more important.