Helpdesk social engineering has quietly become the highest-leverage attack against modern enterprises, because the password reset call is the one identity-verification step where MFA is not present and the verifier is a human under throughput pressure, a gap a recent BleepingComputer analysis of password-reset practice examines in depth. The April 2025 Marks and Spencer breach is the worked example: attackers tied to Scattered Spider impersonated an M&S employee to a third-party service desk, secured a fresh credential, extracted the NTDS.dit file from Active Directory, cracked hashes offline, and detonated ransomware that suspended online sales for five days at an average cost of GBP 3.8 million ($5.1 million) per day.
Why password reset queues became the path of least resistance
Forrester research cited in BleepingComputer’s coverage estimates every reset costs about $70 in helpdesk time, which is why most large enterprises moved to self-service tools. The unintended consequence: the cases that still hit the helpdesk are the edge cases where self-service enrollment failed, the user is locked out of their MFA device, or social engineers picked the script that bypasses self-service. Those are precisely the scenarios where a verifier has to use judgment, which is where impersonation lands. Verizon’s 2024 Data Breach Investigations Report attributes 44.7% of breaches to stolen credentials, and a helpdesk-issued credential counts the same as one harvested via infostealer.
What the Marks and Spencer chain reveals about service-desk controls
The Marks and Spencer chain ran through routine helpdesk procedure end-to-end: a caller passed knowledge-based questions, the agent acted, valid credentials were issued. There was no MFA bypass; there was no zero-day. The verification step assumed that someone who knows the employee’s identifiers IS the employee, which knowledge-based authentication has not been safe to assume since at least the Equifax era. What the BleepingComputer writeup under-emphasizes is the structural insight: self-service tools removed cheap and easy resets from the helpdesk queue and concentrated the harder, higher-judgment calls there. Helpdesk attackers responded by selecting exactly those higher-judgment scripts. The corollary: helpdesk verification quality cannot regress to the pre-self-service baseline, because the inbound population is now adversarially-filtered.
Service-desk controls that hold against this attack
The helpdesk verification step needs to look more like an MFA prompt and less like a knowledge-based questionnaire.
Replace knowledge-based verification with a registered-device challenge. Tools such as Duo or Okta-managed push approvals let the agent trigger a one-time code to the user’s registered device or identity factor before any password reset is initiated. The agent is reduced to confirming that the prompt resolved, not deciding whether the caller’s answers are sincere. Marks and Spencer’s attackers had convincing identifiers; they did not have the registered device. Even one such challenge would have failed their script.
Treat reset frequency and timing as detection telemetry. A surge of password reset requests from a single business unit, from a particular country code, or outside business hours is now a signal worth alerting on, the same way unusual logon telemetry would be. Pipe service-desk ticket metadata into the SIEM and correlate with downstream credential-use events. For broader context on how attackers transition from credential access to lateral movement, our writeup on eight best practices for CISOs conducting risk reviews covers the credential-pivot patterns that turn a single helpdesk-issued credential into the ransomware deployment Marks and Spencer experienced.
The five days of suspended Marks and Spencer online sales originated in a single phone call to a service desk: that is the operational stakes test for every password reset workflow on the helpdesk queue today.
Join our LinkedIn group Information Security Community!
