Table of Contents
The groups behind MGM, Caesars, and Uber did not improvise their way through the help desk. They arrived with information your own phone systems helped confirm.
The Missing Stage in Help Desk Intrusions
Most incident reports on help desk social engineering start at the visible moment: an attacker called support, impersonated an employee, and got an MFA reset.
Defenders start the story at the help desk. The attacker started it earlier.
In our previous post on IVR enumeration, we showed how automated phone systems leak account validity, internal naming, and verification logic. This post follows the full chain from IVR recon to help desk compromise and breakout.
By the time the help desk picks up, the call is usually stage three.
Phase 1: Build the Target List
Before the attacker touches the phone system, they build a shortlist of real people.
LinkedIn usually gives them names, titles, departments, reporting lines, and office locations. Company directories and filings fill in structure. Breach data adds email formats, old passwords, and sometimes employee IDs or internal usernames.
That is enough to sound plausible. It is not enough to survive a real verification flow. The IVR closes that gap.
Phase 2: IVR Validates Everything
This is where a plausible pretext turns into a working one.
Armed with OSINT, the attacker dials into the target's IVR and starts probing. The phone system is not the objective. It is the place where guesses turn into confirmed facts.
Account confirmation. Employee IDs harvested from LinkedIn or breached databases get tested against the IVR. Differential responses, routing changes, and timing differences confirm which identifiers are real. The attacker leaves with a list of confirmed, active employee accounts.
Organizational mapping. The full phone tree gets navigated and documented. Every "press 1 for..." prompt reveals a department name, a service, or a team. Transfer paths show how the organization routes calls internally. Sub-menus expose business units, regional offices, and support tiers. The attacker ends up with an org chart that is often more current than anything on LinkedIn because it is generated live from the organization's own systems.
Terminology capture. As we detailed in the previous post, IVR prompts use the organization's own internal language: system names, department labels, and the phrasing of security questions. The attacker records those prompts and plays that language back during the help desk call. It is one of the strongest credibility signals in thepretext because it sounds native to the environment.
Authentication requirement mapping. The IVR's security questions and verification steps reveal exactly what information will be needed when speaking to a human. If the IVR asks for the last four of a social, the attacker knows the help desk will too. If it asks for a date of birth, that becomes the next piece of OSINT to gather. The caller no longer has to guess the verification path. The IVR lays it out in advance.
Account detail extraction. Where IVR authentication is weak or the attacker has enough validated information to pass it, the system yields account details such as balances, recent activity, status flags, or contact information on file. Every detail adds credibility to the eventual help desk call.
Most of this can be automated. By the time the help desk rings, most of the work is done. The human call is the last mile, not the first.
Phase 3: The Help Desk Call
By this point, the call is not improvisation. It is execution.
"Hi, this is [Validated Employee Name] in [Confirmed Department]. I was just in the phone system trying to get into [System Name], and now I am locked out. Can you help me get back in?"
The help desk agent pulls up the employee record. The name is real because the IVR already validated it. The caller references the correct department. They use internal system names captured from IVR prompts. They know the verification questions because the IVR asked the same ones. They may even reference account detail extracted during the recon phase.
Every verification check passes. Not because the agent was careless, but because the answers were harvested from the organization's own systems.
The request is straightforward: reset MFA to a new device, re-enroll an authenticator, or issue a temporary password. The agent follows procedure and complies because, from their perspective, every signal says this is a legitimate employee with a legitimate problem.
This is why training alone does not solve it. The agent did everything right by the process they were given. The process was built on an assumption that no longer holds.
Phase 4: Breakout
Once MFA is enrolled on an attacker-controlled device, the chain accelerates.
The attacker logs in with the compromised credentials and the fresh MFA token. The first job is usually to clear or watch security notifications. The next is persistence through additional device registration. Then comes lateral movement.
Mandiant's M-Trends 2026 measured the fastest breakout times at 22 seconds from initial access to lateral movement. The average for eCrime actors was 48 minutes in 2024, down from 62 minutes in 2023. Attackers are getting faster after access is granted. The window that matters most is earlier, between IVR recon and the help desk call, and most organizations do not monitor it at all.
From the compromised account, the path varies by objective: data exfiltration, ransomware deployment, further credential harvesting, or persistent access for sale to other actors. The hard part is already done. A phone call created the opening.
The Groups Running This Playbook
Scattered Spider industrialized it
Tracked by CISA as UNC3944 / Octo Tempest / Storm-0875, Scattered Spider did not invent the help desk call. They turned it into a repeatable operating model: LinkedIn and breach data up front, phone-based social engineering, SIM swapping when needed, then legitimate remote access tools and ransomware partners after the reset lands.
MGM Resorts, August 2023. Employee information gathered from LinkedIn. Help desk called. Ten-minute conversation. MFA reset. Ransomware deployed across systems. $100 million in Q3 losses.
Caesars Entertainment, July 2023. Same playbook. Help desk impersonation led to credential resets. Database compromise exposed SSNs and driver's licenses. Estimated $15 million ransom paid.
Twilio, June-August 2022. Initial vishing incident compromised employee credentials. Followed by SMS phishing mimicking Twilio IT. 209 customer accounts and 93 Authy users compromised. The same group, also known as 0ktapus, hit more than 130 organizations in the same campaign.
Retool, August 2023. Attackers posed as IT staff citing payroll issues. Convinced an employee to grant access. $15 million in cryptocurrency stolen from 27 customer accounts.
LAPSUS$ proved the model
Before law enforcement disrupted their operations, LAPSUS$ refined theMFA fatigue technique: spam push notifications until the target is exhausted, then call while posing as IT to "help approve the right one." Uber fell to this in September 2022. Okta was compromised for five days in January 2022 through a support engineer account.
This Is a Market Now
This stopped being a single-group signature. CrowdStrike's 2025 Global Threat Report described the same play spreading across the broader eCrime ecosystem in 2024. The important shift is not the name on the intrusion. It is that help desk compromise now travels as a reusable workflow.
SLH (Service Labor Help) is actively recruiting vishing operators at $500-$1,000 per call with pre-written scripts targeting IT help desks. Standardized scripts, operator recruitment, and per-call pricing turned the tradecraft into a service model.
ShinyHunters targets SaaS identity platforms such as Okta, Microsoft 365, and Google Workspace using real-time phishing kits combined with vishing to bypass MFA.
Initial access brokers sell help-desk-obtained credentials on criminal markets for $500-$3,000 per access. The attacker who makes the call may not be the attacker who deploys ransomware. The chain is segmented and specialized.
The point is simple: voice is no longer a niche access path. The market copied the workflow, and the barrier to entry keeps dropping.
The Verification Model Is Broken
After the incident, the default fix is retrain the agent. That is the wrong level.
Help desk identity verification is built on a knowledge model. The caller proves their identity by knowing things that only the real person should know: employee ID, department, manager's name, date of birth, or the last four digits of a social security number.
Every one of those data points is obtainable through OSINT, breached databases, or IVR enumeration. The verification model was designed for a threat environment where attackers did not have routine access to that information. That environment ended years ago.
Training helps agents recognize obvious pretexting. It does not help when the attacker has every answer to every question, uses the right terminology, and references real account details. At that point, the agent is doing the job as designed. The design is what failed.
The exposure is larger than most teams assume. Phone-led loss can sit in a worse insurance position than a conventional breach, which means the control gap turns into a finance problem fast.
More training will not fix a process that treats harvested facts as proof of identity. The control has to change. The next piece is about what actually holds up when we test it.
Part two of the "Before the Call" series. Read first: The Recon Nobody's Testing For. Next: The Voice Channel Is the New Perimeter.
