Due to its role and responsibilities, the helpdesk or IT support center has become a prime target for cybercriminals. Several cyberattacks leveraging social engineering have highlighted this growing risk and trend in recent years. Discover why Specops Secure Service Desk provides a concrete, technical solution to this challenge.
From Helpdesk to Ransomware: Just One Step Away…
The helpdesk is no longer just a support center; it has become a prime entry point for cybercriminals. By manipulating support agents, attackers aim to gain access (often just a username and password are enough) to infiltrate an organization’s information systems.
Looking back at major cyberattacks in recent years, we can see the helpdesk’s direct and often critical involvement. Unfortunately, a service that is supposed to be staffed by knowledgeable professionals has proven to be a weak link and, in several cases, the very entry point for intrusions. Cybercriminal groups such as Scattered Spider have demonstrated this repeatedly, making social engineering one of their specialties.
Here’s an overview of some notable incidents.
Marks & Spencer (April – May 2025)
The British retail giant Marks & Spencer suffered a major attack in April, right in the middle of Easter. Cybercriminals from the Scattered Spider group managed to trick the company’s IT helpdesk into resetting user passwords. There were no phishing emails or software vulnerabilities; the flaw was entirely human.
Once the helpdesk was compromised, the attackers accessed internal systems, allowing them to exfiltrate customer personal data. Even more impactful was the deployment of the DragonForce ransomware to encrypt VMware ESXi servers.
The direct consequence? M&S’s online ordering and “click-and-collect” services were unavailable for over three weeks, with disruptions expected until July 2025. The financial impact was severe, with estimated losses of around €355 million.
Co-op Group (May 2025)
A cyberattack also hit Co-op in a nearly identical scenario to the M&S attack. The helpdesk was manipulated by attackers who persuaded support staff to grant them system-level access. This led to the theft of data from 20 million individuals, including both customers and employees of the British organization.
The attack also affected Co-op’s 2,300 stores, resulting in product shortages for some items.
“This data includes personal information such as names and contact details of Co-op Group members, and does not include member passwords, bank or credit card details, transaction data, or product/service information,” the group clarified in its official statement.
Harrods (May 2025)
Following the Co-op and M&S incidents, retailer Harrods became the third major UK brand targeted within just a few weeks. Fortunately, Harrods detected and contained the unauthorized access attempts, likely linked to the same Scattered Spider group, before any data was compromised.
MGM Resorts (September 2023)
Back in September 2023, Scattered Spider showcased the effectiveness of its social engineering tactics by targeting MGM Resorts, the Las Vegas giant operating world-famous casinos and hotels.
During this high-profile attack, attackers encrypted data on 100 VMware ESXi servers. MGM Resorts reported massive disruption and estimated losses of around $100 million.
In this case, the group used vishing (voice phishing) to target the IT helpdesk. They successfully tricked a technician into disabling two-factor authentication (2FA) for a senior executive. That single error paved the way for a devastating cyberattack, paralyzing networks, ATMs, slot machines, and digital key systems across Las Vegas casinos.
Specops Secure Service Desk: The Solution to Fortify Your Helpdesk
In the face of this persistent threat, one key question arises: how can the helpdesk reliably verify a user’s identity? Is the person on the other end of the line really who they claim to be? The answer is far from simple, especially given that it’s unrealistic to expect support agents to recognize the voices of all employees, and even less so in an era where AI-generated voice fakes are on the rise.
On Microsoft’s side, current identity management services such as Active Directory or Entra ID do not provide any built-in method for this type of verification. In other words, this challenge is tough to address without a dedicated technical solution.
This is where Specops Secure Service Desk comes in. Already available for several years and compatible with Active Directory, the solution has now evolved to natively support Microsoft Entra ID, offering organizations a concrete way to strengthen their helpdesk against social engineering attacks.
This recent evolution enables Specops to support organizations of all kinds, whether operating in on-premises, hybrid, or fully Entra ID environments, in securing their helpdesk against social engineering risks.
The rapid adoption of new technologies, combined with remote and hybrid work, has significantly increased the volume of calls to helpdesks. At the same time, social engineering attacks are becoming more sophisticated, with AI-powered voice impersonation (deepfakes) and social media reconnaissance rendering traditional verification methods obsolete.
“Asking for a date of birth or a manager’s name is no longer enough when facing groups like Scattered Spider,” warns Specops Software in its press release.
Specops Secure Service Desk delivers a robust response by verifying user identity through authentication methods. In practice, the validation process relies on several options that organizations can enable or restrict according to their security policies:
- Codes sent via SMS or email (not the recommended option, as with traditional MFA)
- Identity management services: Duo Security, Okta, Symantec VIP, PingID
- Physical security keys such as YubiKey
- A notification via the Specops ID app, allowing the use of biometrics or facial recognition (e.g., FaceID)
The process is straightforward: the user contacts the helpdesk, the agent triggers a push notification on the user’s authentication app, the user confirms their identity, and the agent can then proceed with the requested action. Naturally, users must be enrolled and have their authentication factors configured beforehand to prove their identity when required.
Password reset requests, remote desktop sessions, and many other user demands occur daily. With this solution, support agents can operate more confidently, relying on a mechanism that shields them from social engineering attacks.
Interested in Specops Secure Service Desk? Try it free today: Request a free trial of Specops Secure Service Desk
