Service Desks Have Become the Weakest Link in Cybersecurity

New research warns that attackers are exploiting help desks with AI-powered social engineering to bypass millions in defenses.

In April 2025, Marks & Spencer was thrown into crisis when a single phone call convinced a third-party help desk to reset employee credentials. The result: Active Directory exfiltration, ransomware deployment, and an estimated $400 million in damages. The attack didn’t rely on a zero-day exploit. It relied on human trust.

A new report from Specops Software reveals how service desks have quietly become one of the most exploited attack surfaces in enterprise environments. “Why burn zero-day exploits when you can simply persuade a help desk agent to disable multi-factor authentication?” the report warns.

Industrialized Social Engineering

Attackers are running campaigns with the precision of marketing operations. They scrape LinkedIn and corporate sites for personal details, craft urgent scenarios like executives locked out during a system migration, and hit multiple channels—email, phone, chat—to reinforce legitimacy.

The rise of AI-driven voice synthesis makes these schemes even more dangerous. Microsoft says an attacker can clone a voice from just three seconds of audio. That turns public speeches, podcasts, or even YouTube clips into raw material for convincing impersonations.

Outsourced Trust, Outsized Risk

Recent breaches show the scale of the threat:

• Clorox is suing its help-desk vendor after attackers convinced staff to hand over passwords, allegedly costing the company $380 million.

• Chanel, Google, and Air France–KLM were all compromised in 2025 by coordinated vishing campaigns targeting Salesforce customer platforms.

• MGM Resorts reported $100 million in losses in 2023 after social engineers tricked a service-desk agent, knocking out casino systems and guest services for days.
  

These incidents reveal a critical pattern: outsourcing help-desk functions without rigorous controls introduces single points of failure that adversaries know how to exploit.

Hardening the Human Layer

Specops’ recommendations focus on tightening processes, not just technology:

• Mandatory verified callbacks using corporate directories, not caller-supplied numbers.

• Scripted verification flows that escalate automatically when checks fail.

• Quarterly vishing simulations modeled on real attacker tactics.

• Phishing-resistant MFA for every reset and high-risk task.
  

Technical upgrades like spoof detection and integration between phone and identity systems add resilience, but the report argues that culture and process must come first.

The New Frontline

Service desks are no longer a back-office utility. They are now a frontline target for criminal groups like Scattered Spider, who understand that a convincing pretext can be more powerful than malware.

“Your cybersecurity is only as strong as your most vulnerable process,” the report concludes. For too many enterprises, that process is the next phone call to the service desk.