Could a simple call to the helpdesk enable threat actors to bypass your security controls? Here’s how your team can close a growing security gap.
15 Oct 2025
•
,
5 min. read
Supply chain risk is surging among global businesses. Verizon claims that third-party involvement in data breaches doubled over the past year to 30%. Yet usually this kind of risk is framed in terms of problems with open source components (Log4Shell), proprietary software (MOVEit) and bricks and mortar suppliers (Synnovis). What happens when your own IT outsourcer is the source of a major breach?
Unfortunately, some big-name brands are starting to find out, as sophisticated threat actors target their outsourced helpdesks with vishing attacks. The answer lies with layered defenses, due diligence and good old-fashioned cybersecurity training.
Why helpdesks are a target
Outsourced IT service desks (or helpdesks) are an increasingly popular option for many businesses. On paper, they offer the kind of CapEx/OpEx savings, specialized expertise, operational efficiency and scale that SMBs in particular struggle to match internally. Yet operatives are also able to reset passwords, enroll new devices, elevate user privileges and even disable multi-factor authentication (MFA) for users. That’s basically a list of most, if not all the things a threat actor needs to gain unauthorized access to network resources and move laterally. They just need a way of convincing the helpdesk staffer that they’re a legitimate employee.
There are other reasons why third-party helpdesks are coming under growing threat actor scrutiny:
- They may be staffed by IT or cybersecurity pros on the first rung of the career ladder. As such, employees may not have the experience to spot sophisticated social engineering attempts.
- Adversaries can exploit the fact that helpdesks are there to provide a service to their client’s employees, and that staff may therefore be over-eager to fulfill password reset requests, for example.
- Helpdesk staff are often swamped with requests – a result of the growing complexity of IT environments, home working and corporate pressure. This can also be exploited by seasoned vishers.
- Adversaries may employ tactics that even experienced service desk staff may not be able to spot, such as using AI to impersonate senior company leaders who ‘urgently need their help’.
The service desk under fire
Social engineering attacks on the helpdesk are nothing new. Back in 2019, threat actors managed to hijack then-Twitter CEO Jack Dorsey’s account after convincing a customer service desk staffer at his mobile carrier to transfer his number to a new SIM card. At the time, these SIM swap attacks enabled interception of the one-time passcode texts that were a popular way for services to authenticate their users.
More recent examples include:
- In 2022, the LAPSUS$ group successfully compromised several big-name organizations including Samsung, Okta and Microsoft after targeting help desk staff. According to Microsoft, they researched specific employees in order to answer common recovery prompts such as “first street you lived on” or “mother’s maiden name”
- Threat actors from the Scattered Spider collective have recently been blamed for “weaponizing human vulnerability” with vishing attacks on helpdesk employees. It’s unclear which organizations were compromised, although the group manged to breach MGM Resorts in this way. That 2023 attack is said to have cost the firm at least $100 million.
- Bleach manufacturer Clorox is suing its helpdesk provider Cognizant after a staffer allegedly complied with a password reset request without even asking the person on the other end of the phone to verify their identity. The compromise is reported to have cost the firm $380 million.
Some lessons learned
So successful have been these attacks that it’s claimed professional Russian cybercrime groups are actively recruiting native English speakers to do their dirty work. Adverts seen on criminal forums show they are looking for fluent speakers with minimal accents capable of ‘working’ during Western business hours. This should be a red flag for any security leader at an organization that outsources their helpdesk.
So what can we learn from these incidents? Due diligence on any new service provider should be a given, of course. This should include checks for best practice certifications like ISO 27001, and reviews of internal security and hiring policies. More broadly, CISO should seek to ensure that their provider has in place:
- Strict user authentication processes for anyone calling into the helpdesk with sensitive requests like password resets. This could include a policy whereby the caller is forced to hang up and the helpdesk operative calls them back on a pre-registered and authenticated phone number. Or sending an authentication code via email/text in order to proceed.
- Least privilege policies which will limit the opportunity for lateral movement to sensitive resources, even if the adversary does manage to effect a password reset or similar. And separation of duties for helpdesk staff, so that high-risk actions must be approved by more than one team member.
- Comprehensive logging and real-time monitoring of all helpdesk activity, with a view to stopping vishing attempts in their tracks.
- Continuous agent training based around real-world simulation exercises, which are regularly updated to include new threat actor TTPs including use of synthetic voices.
- Regular assessments of security policies to ensure they take account of developments in the threat landscape, internal threat intelligence updates, helpdesk records and changes in infrastructure.
- Technical controls such as detection of caller ID spoofing, and deepfake audio (which has been used by the ShinyHunters group). All helpdesk tools should also be protected by MFA to further mitigate risk.
- A culture that encourages reporting of incidents and security awareness in general. That means agent will be more likely to flag vishing attempts that fail, and thus build resilience and learnings for the future.
Bolster defenses with MDR
Vishing is fundamentally a human-shaped challenge. But the best way of tackling it is by combining human expertise with technical excellence and process improvements, in the form of MFA, least privilege, detection and response tooling, and more.
For MSPs that offer helpdesk services, managed detection and response (MDR) from providers like ESET can help to take the pressure off by working as an extension of the outsourcer’s in-house security team. In this way, they can focus on providing the best possible helpdesk service, with the peace of mind that an expert team is monitoring signals 24/7 with advanced AI, in order to catch anything suspicious.
