Service desks have become a prime target for cybercriminals, with high-profile attacks on organizations like MGM Resorts and Caesars Entertainment demonstrating the severe consequences of compromised help desk systems. Attackers exploit human trust and procedural gaps to reset credentials, bypass multi-factor authentication (MFA), and gain unauthorized access. This article examines the tactics used in these attacks, real-world case studies, and actionable mitigation strategies.
Why Service Desks Are Targeted
Service desk agents are trained to assist users, making them susceptible to social engineering. Attackers impersonate executives or IT staff, often using urgency (“CEO urgent request”) to pressure agents into bypassing security protocols. According to BleepingComputer, groups like Scattered Spider (affiliated with ALPHV/BlackCat ransomware) have successfully exploited this weakness, causing operational disruptions and financial losses. For example, MGM Resorts suffered a 10-day outage, while Caesars paid a $15M ransom.
Common Attack Methods
The most prevalent techniques include vishing (voice phishing), MFA bypass via “lost device” claims, and credential resets through outsourced IT vendors. Specops Software notes that service desks are targeted because they often lack robust verification processes for high-risk actions like password resets or MFA disabling. Attackers exploit this by manipulating agents into granting access without proper authentication.
Defense Strategies: Zero Trust and Process Hardening
RSA recommends implementing Zero Trust principles for service desk operations. Key measures include limiting help desk access to least-privilege actions, mandating runbooks for sensitive tasks (e.g., MFA resets), and using automated tools like Specops Secure Service Desk for risk-scored verification. Kris Burkhardt, Accenture CISO, emphasizes segmenting ticket systems from identity stores and maintaining detailed audit logs for all service desk actions.
Operational Improvements
InvGate suggests tiered support models (L0 self-service to L4 escalation) to reduce ticket volume and minimize social engineering opportunities. Help Desk Migration highlights the effectiveness of self-service portals, which can decrease call-based attacks by 30%. Regular red-team testing is also critical to identify gaps in service desk workflows.
Key Takeaways
- Train agents to recognize social engineering tactics, especially urgency-based requests.
- Enforce hardware tokens for MFA to prevent resets via social engineering.
- Avoid outsourcing L1 support without strict SLAs that mandate security controls.
As Dr. Magda Chelly notes, “Visual verification alone is insufficient—combine MFA with manager approvals for high-risk actions.” Proactive measures, including continuous training and technical safeguards, are essential to protect service desks from evolving threats.
References
- “Service desks are under attack: What can you do about it?” BleepingComputer, 2025.
- “Don’t Get Hooked: Zero Trust Strategies to Protect Your Help Desk from Phishing” RSA, 2023.
- “How to Handle a Service Desk Outage” InvGate, 2022.
- “IT Service Desk Challenges” Help Desk Migration, 2024.
- “How Can You Identify Risks in Service Desk Operations?” LinkedIn, 2025.
