Blog Post
July 10, 2026 | Cybersecurity education
Anatomy of a helpdesk social engineering attack (and how to stop MFA bypass)
You thought end users were a problem when it comes to securing an environment, but what about the helpdesk team?
In the last year, the number of helpdesk driven incidents involving phone-based MFA resets have become a growing concern. Scattered Spider, a prolific and financially motivated cybercriminal group, has been identified posing as employees to convince IT or helpdesk staff to provide sensitive information, reset credentials, and transfer MFA between devices.
Humans remain the weakest link in any organization's security posture, and that includes even the most technical or experienced staff.
As identity shifts to being the perimeter, are your helpdesk staff the new victims?
The anatomy of a helpdesk social engineering attack
In 2025, our team saw hundreds of cloud compromise events, many of which served as the initial point of entry into an organization.
With a rise in malware-free intrusions, a multi-layered approach to security is essential to cover every avenue of compromise. The emergence of AI tools has lowered the bar for these intrusion tactics, especially impersonation, due to the ease of voice cloning, PII scraping, and convincing dialogues.
All of these tactics have existed for a number of years, but the realism AI offers is leaving IT teams second-guessing every call. Why bother hunting for a zero-day vulnerability when a threat actor can just pick up a phone and an org chart?
So let's take a look at what a realistic attack chain could look like in 2026.
Reconnaissance
As more of our lives move online, data breaches exposing basic personal information can no longer be shrugged off, as this hands attackers a baseline profile to build from.
Combine that with data brokers collating other breached personal information, plus a LinkedIn profile, and an attacker can assemble a detailed profile of the target.
Pretext
With the rise in remote and hybrid working arrangements, helpdesk staff are less likely to personally know the people in their organization, leaving room for threat actors to easily impersonate an employee.
A remote employee could call or chat with the helpdesk, claiming their account is locked out or that they are travelling and cannot log in.
Similar malicious requests leveraging helpdesk impersonation have been observed in the wild. Just see our Quick, You Need Assistance! blog, which tracked a Microsoft Teams voice-phishing campaign where threat actors impersonated an organization's IT team to convince users to grant remote access via Quick Assist, a built-in Windows remote administration tool.
Verification bypass
The helpdesk staff receives the request, confirms the user is within their organization, then (hopefully) requests additional verification.
The threat actor, however, is ready and waiting with a prebuilt profile of the victim, built using PII acquired during recon.
Because the answers line up exactly, the helpdesk staff member has no reason to question the request and acts on it promptly.
The ask
Next up in the attack chain, what has the helpdesk operator done?
In one instance they may have reset a password, giving the threat actor a verified username and password to attempt logins.
In another, they reset the password and re-enrolled MFA to a threat-actor-controlled device.. Now the threat actor has the username, password, and MFA of the victim’s cloud account and can move forward.
Parallel pressure
If the threat actor was only able to get the password reset, they can pressure the victim through MFA fatigue or 'push bombing', flooding their device with authentication prompts until they approve one just to make it stop.
In another scenario, the threat actor attempts to login, then calls the helpdesk back to have the login manually approved.
Access and escalation
Once the threat actor gains access to the victim's cloud account, exploiting that account and the data it holds becomes the next stage of the attack.
From here, a threat actor could scrape emails for system details, such as IP addresses, usernames, and passwords. They may also find document shares containing credentials for other systems.
The attack doesn't have to stop at the original organization. The threat actor could use the account to send fraudulent invoices to suppliers or distribute malicious files to compromise a third party through the victim's trusted identity.
With thorough reconnaissance, a threat actor could even use residential proxy infrastructure to bypass cloud monitoring entirely. There are no brute-force indicators, MFA shows as satisfied on an enrolled device, and if the same team handling the support call is also reviewing the logs, the interaction can easily be overlooked.
Why do helpdesk-driven incidents work?
As covered above, our lives and businesses are increasingly online, making this kind of information more accessible than ever.
With the rise in AI capabilities, automated collation of a user's profile can be completed with minimal effort, enabling a strong pretext phase. Threat actors can draft highly specific dialogue using industry terminology or current business plans, making the impersonation even more convincing.
With such a detailed profile built during recon, bypassing verification becomes almost trivial. By the time the conversation reaches the helpdesk staff, a request for a password or MFA reset feels like the natural next step.
If roadblocks arise, pressure tactics like push bombing or urgent follow-up calls to IT can easily move the attack further down the chain.
Finally, because everything unfolded through what looks like a standard support interaction, the resulting access and escalation can appear entirely normal.
How to stop MFA bypass
Harden the verification process
Organizations should have clear, documented policies for how helpdesk and IT teams verify staff identity over the phone or online.
Move away from easily obtainable PII as proof of identity. Instead, consider callback verification to a phone number already on file, manager approval, or a one-time code sent to a separate, pre-enrolled device. Training and scripts help ensure staff follow a documented, no-exceptions procedure, reducing the risk of an employee trying to be helpful under pressure.
Phishing-resistant MFA
Organizations should move away from traditional MFA toward phishing-resistant alternatives such as FIDO2, WebAuthn (passkeys), or PKI-based authentication.
These alternative MFA options can look intimidating, but they're immune to push bombing and SIM swapping, offering a much stronger approach to account security.
If the options above aren't feasible, the next-best solution is disabling SMS and push-approval MFA in favor of number matching.
Lastly, apply tight controls to MFA device enrollment and treat it as a privileged action as this reduces the risk of anomalous devices being enrolled for users.
Detect what you can't prevent
Monitoring cloud activities, including MFA device changes, impossible travel logins, new device sign-ins, and reset events out of standard operating hours, can help identify intrusions before they escalate.
No matter how a threat actor attempts to gain account access, even a flawless social engineering call still leaves telemetry. A sophisticated MDR catches the resulting anomalous session.
The importance of multilayered defenses
As the saying goes, technology alone cannot fix a weak human process. That process needs to expand beyond "end users" to include technical staff as well.
Processes alone will not catch a clever attacker, which is why a layered defense remains essential. Adding detection layers to cloud account usage brings extra visibility to your environment for anomalous activity that might not be identified through single event analysis.
Field Effect MDR is the ultimate solution for a multilayered defense, effectively streamlining 20+ security tools and services in one unified platform. See Field Effect MDR in action in this on-demand demo video series.
Frequently asked questions
What is helpdesk social engineering?
A tactic where threat actors impersonate employees to trick IT or helpdesk staff into resetting passwords, re-enrolling MFA, or sharing sensitive account details, bypassing technical defenses through human trust instead of exploiting software.
Why is Scattered Spider associated with these attacks?
Scattered Spider is a financially motivated group known for using detailed impersonation and social engineering, often targeting helpdesks directly to reset credentials and MFA rather than relying on malware or exploits.
What is push bombing (MFA fatigue)?
An attack where a threat actor floods a victim's device with repeated authentication prompts, hoping the user approves one out of frustration or confusion just to stop the notifications.
What makes MFA "phishing-resistant"?
Standards like FIDO2, WebAuthn (passkeys), and PKI-based authentication tie login approval to a physical device or cryptographic key rather than a code or push notification, making them immune to push bombing, SIM swapping, and credential phishing.
How can helpdesks verify identity without relying on PII?
By using callback verification to a phone number already on file, requiring manager approval, or sending a one-time code to a separate, pre-enrolled device, none of which can be answered using scraped personal information alone.
Can MDR detect this kind of attack if verification is bypassed?
Yes. Even a flawless social engineering call leaves telemetry (things like anomalous logins, new device enrollments, or off-hours activity) which a properly configured MDR solution can flag and investigate.
Which organizations are most at risk?
Any organization with remote or hybrid staff, since helpdesk teams are less likely to personally recognize employees, making impersonation easier over phone or chat.




