Securing the service desk: Interview with an OffSec expert 

Securing the service desk has become a priority for many organizations, especially after the spate of social engineering attacks in the UK linked to Scattered Spider. Attackers know the service desk can be an easy way to bypass MFA and gain initial entry to a network, as agents without the right security tools are vulnerable to social engineering.

Specops Senior Product Manager, Darren James, sat down with one of Outpost24’s Offensive Security experts, Mikael Svall, to discuss all of this and more.

Why are hackers targeting the service desk?

Darren: Mikael, welcome! You’re working in GhostLabs, Outpost24’s Offensive Security department. I heard that you know a lot about red teaming, along with many other things! What does that mean from your perspective, and how does it relate to what we’re talking about today? 

Mikael: Thanks Darren! So yeah, red teaming means that we simulate real-world attacks to see how well an organization can detect and respond. Today, I want to talk about one of the easiest ways in for an attacker, and that’s social engineering via a service desk. 

Darren: Why go after the service desk? Aren’t they just helping people with problems like resetting passwords? 

Mikael: Exactly. And that’s the point. People that work in a Service Desk are helpful by nature. That’s why they got the job in first place; it’s in their personality to help others. But they also have access to super sensitive functions: MFA resets, unlocking accounts, and password changes. If an attacker calls up and sounds like a legit user, they might be handed access without even needing to hack anything. 

What makes service desks attacks successful?

Darren: Surely organizations have procedures in place to stop these attacks? 

Mikael: They do, at least on paper. But in practice? There are a few things to consider from the agent’s perspective:

1. Their job is to help, not interrogate. 
2. They rarely encounter fake calls. 
3. Attackers use internal lingo, drop real names, create urgency, playing on empathy and stress.
4. They add background noise, like a train station or baby crying.

Darren: I have to say, I think tone and delivery play a huge part when people call the service desk. I mean, how you talk can make or break the scam, right? And you’ve got a Swedish accent, so how would you call a UK-based service desk and convince them you’re someone else entirely? What kind of role would actually work for you? 

Mikael: That’s a great question, and you’re absolutely right. Voice is a weapon in social engineering. And yes, I speak with a Swedish accent. But surprisingly that often works in my favor. When I call and sound like a foreigner, especially with a polite or slightly formal tone, people assume: “Oh, must be the external IT guy. Probably here to help.” 

So for me, the most believable roles are: 

• External IT consultant 
• Vendor support 
• Global onboarding support or remote helpdesk 

Those roles match the expectation people have when they hear my voice. But the same applies in the UK, where different British dialects carry different emotional weight. You could do the same for any country, but let me give you some quick examples from this table for the UK: 

Dialect/Accent	How it’s perceived	Best roles to impersonate
RP (BBC English)	Polished, educated, senior	C-level exec, HR, legal
Northern (Yorkshire)	Honest, grounded, trustworthy	Helpdesk agent, internal support
Scottish Highlands	Straight-talking, calm, dependable	Logistics, warehouse, backend roles
Cockney or Scouse	Informal, fast-talking, less trustworthy	Warehouse staff, junior field tech
Estuary English	Friendly, neutral, ‘everyman’	Project assistant, internal admin

So yeah, it’s not just what you say, it’s how you say it. Tone, dialect, pacing – it can tip the scale from “Hmm, something’s off here.” to “This person sounds legit.” 

Typical service desk attack scenario

Darren: Mikael, could you walk us through a typical attack? Maybe one where your Swedish accent actually helps? 

Mikael: Sure! Let’s say I’m impersonating someone who matches how I naturally sound. For example: 

1. I find Daniel Smith, a senior external IT consultant, on LinkedIn. He’s Swedish, works closely with DevOps and cloud security teams, and is contracted to a UK-based firm rolling out a zero-trust infrastructure. He’s well-known within the company, so people wouldn’t be surprised to get a call from him. 
2. I get a prepaid number with a UK prefix and call the service desk, using my normal voice. 
3. Here’s what I’d say: “Hi, this is Daniel Smith – I’m calling from the Zurich office. I’m supposed to deploy an updated reverse proxy config for the container gateway, but I just lost access to the CI/CD environment and I’ve been troubleshooting with the SecOps lead all morning. I think MFA’s broken after my phone reset.” 
4. Then I stack the pressure: 
   • I sound calm, but clearly under stress. My technical issue is urgent. 
   • I’ve added fake background noise: airport terminal chatter, boarding announcements. 
   • I mention: “I’m in transit to the London site now, and I’m supposed to meet with the internal DevSec team this afternoon. I need this sorted before I board in 20 minutes.” 
   • I name-drop: “You can check with Neil Atkinson in InfraSec — he knows I’m pushing the config today.” 
   • Then I close with: “Can you temporarily disable MFA for my account or reset the token manually? I’ll rebind it once I land.” 
5. It works because: 
   • I sound like someone who should know exactly what he’s doing. 
   • My accent matches the role: external, expert, not super formal but very technical. 
   • It’s not a scammy tone. It’s urgent, credible, and logical. 

So that’s the trick: I don’t need to be charming, I just need to sound like the guy who’s been here before and doesn’t have time to explain everything again. 

AI vishing and social engineering

Darren: So earlier, you were able to clone my voice from less than 10MB of sound from YouTube and using an online non-malicious voice AI. With a moderate gaming setup you were able to clone my voice, then use it in speech-to-speech mode with just milliseconds of delay, making it a perfect social engineering tool. It was freaky hearing my cloned voice – tell me more!

Mikael: AI vishing (voice phishing) has become a massive force multiplier for attackers. It lets anyone execute highly convincing and scalable attacks. Let me break it down into a few areas. 

1. Tailored scripts, instantly generated 

Attackers no longer write their own pretexts. AI can generate a highly customized phone script based on public data about the target: victim’s role, systems they use, even the tone of previous emails or blog posts. 

For example: “Hi, this is Emma from Logistics. I can’t access SharePoint and my MFA app isn’t syncing after IT’s update yesterday…” 

That line? It might be generated on the fly, based on a LinkedIn post and a recent press release about your company’s software rollout. 

2. Voice cloning removes friction 

If the attacker has just a few minutes of someone’s voice, from a podcast, webinar, or even internal training videos, they can clone it. Not just a similar voice, but a real-time AI-generated voice that says exactly what the attacker wants, with perfect emotional tone. 

Imagine your CFO calling the service desk: “Can you just reset my MFA? I’m in a rush.” 

It sounds just like her. But it’s not her. 

3. AI chatbots build fake trust 

Some attackers go further. They use chatbots with personality to pose as employees in internal chat systems (Slack, Teams) or external email threads. These bots can have small talk, make jokes, and build trust before launching the actual request. 

So, when “Daniel from IT” finally calls in a panic, the service desk agent already knows who he is — they’ve chatted before. That’s invisible social engineering, happening long before the phone rings.

4. The real danger? It scales. 

Before AI, you needed one manipulative human per call. Now? One attacker can automate 50 simultaneous conversations, each tailored, each convincing, each relentless. Service desk staff will no longer be dealing with the occasional stressed-out caller — they’ll be targeted systematically, at scale, by AI-powered personas that sound and behave like real employees. And these attacks don’t take weeks to prepare. They take minutes. 

Darren: That’s terrifying… So, you’re saying that with AI, this isn’t just a clever trick anymore, it’s a factory? 

Mikael: Exactly. We’re moving from handcrafted scams to industrial-grade intrusion. And the frontline (the service desk) is already overwhelmed. AI just makes the flood inevitable. 

Recent examples of service desk attacks

Darren: So, what about real attacks like this recently? 

Mikael: Oh yes, multiple high-profile examples just this year. And while social engineering itself isn’t new, what’s changed is the scale, the targets, and the visibility. Marks & Spencer was hit by one of the most impactful cyberattacks in the UK this year. The attack, attributed to the hacking group Scattered Spider, began with advanced social engineering tactics targeting outsourced support personnel. 

Once inside, the group reportedly stole the NTDS.dit file (a sensitive Active Directory database containing user credentials) and then moved laterally through M&S’s infrastructure, remaining undetected for weeks. On April 24th, they deployed DragonForce ransomware on VMware ESXi hosts, encrypting core systems and paralyzing parts of the business. 

Online ordering was disrupted, internal operations were impacted, and M&S had to bring in cybersecurity heavyweights like Microsoft to respond. This wasn’t just a hack, it was a playbook. Social engineering to get in. Persistence to stay hidden. Ransomware to cash out.

And all this all started with someone pretending to be someone they weren’t. It shows how a single call or message can unravel a massive organization, even one as established and security-minded as M&S. 

Darren: Mikael, you mentioned that Marks & Spencer was hit with ransomware toward the end of the attack. Is that a common path for threat actors these days? 

Mikael: Yes, it’s very common. In fact, ransomware is often the endgame after a successful social engineering or credential-based intrusion. At its core, ransomware is simple: attackers encrypt your data and demand payment to unlock it, typically in cryptocurrency. 

But that’s just the beginning. These days, it’s evolved into what we call double extortion. That means: 

1. They encrypt your files, and
2. They also steal the data and threaten to leak it publicly if you don’t pay. 

It’s like being robbed twice. First digitally, and then try to play on the brand damaging. And we’ve also seen triple extortion too. One disturbing example is the Vastaamo (a mental health provider) case in Finland: 

• After stealing sensitive patient therapy notes, the attackers encrypted the systems… 
• Then threatened to leak the records… 
• And finally, they went a step further: they contacted individual patients directly and demanded money from them personally. 

That’s the third layer: turning your own clients or employees into pressure points. So yes, ransomware is extremely common now, and social engineering is often the very first step. Someone impersonates a colleague, resets MFA, and gets in quietly. Then weeks later, it all ends in a ransomware detonation. 

Darren: Any other high profile cases people should be aware of in recent years? 

Mikael: Absolutely. Other high-profile cases include: 

• MGM Resorts (US, 2023): The casino and hotel giant was hit hard after attackers used social engineering (just a phone call) to convince internal staff they were from IT. They gained privileged access and caused multi-million-dollar disruptions. 
• Co-op UK (2025): Similar pattern to M&S. Attackers socially engineered their way into internal systems. Millions of records were exposed, and operations were disrupted. 
• Harrods (UK, 2025): The luxury department store was also recently targeted in what appears to be a social engineering-driven breach. While details are still emerging, it’s clear attackers attempted to gain access through human channels, not exploits. 

What’s interesting about the UK attacks in 2025, is that three of these incidents hit major brands in a short time frame. That tells us something: these tactics work, and when cybercriminals see something working, they copy it and use the methodology.  We’re not seeing one-off accidents. 
We’re seeing the rise of a proven method that’s spreading fast. 

Social engineering has always been part of the hacker toolkit. What’s new is that it’s now being used at enterprise scale, against high-profile targets, with AI and automation amplifying the impact. I’m afraid this is only the beginning. 

Securing the service desk: The future of social desk engineering

Darren: So where is this heading, Mikael? What’s the next stage in all of this? 

Mikael: It’s already happening, and it’s going to get worse before it gets better. We’re moving into an era where social engineering becomes industrialized. I’ll walk through four key issues to demonstrate. 

1. Copycats and playbooks 

Every time a high-profile attack succeeds (like with M&S, MGM Resorts, and Co-op) the playbook gets copied. There’s no reason for attackers to reinvent the wheel when they can just copy the technique and reuse it. Social engineering isn’t “creative” anymore, it’s templated. You can buy pre-written scripts, AI prompts, and even call-centre-grade voice bots tailored for this purpose.  

2. Outsourced service desks = weak points 

Many companies outsource their IT support to third-party vendors, often overseas, and often under pressure to move fast and keep the “internal client” happy. That creates a soft underbelly for threat actors to exploit. You don’t need to break into the main office, you just need to sound convincing to someone five time zones away, handling 80 tickets an hour. Outsourced desks often lack the same training, context, or authority to say no, and attackers know this. 

3. Access brokers offering Social Engineering-as-a-Service 

Just like ransomware groups created “initial access brokers”, we’re now seeing the rise of “voice access brokers.” Criminals who specialize in impersonation, social engineering, and bypassing service desks on demand. A cybercrime gang doesn’t even need to be skilled at social engineering anymore. They can outsource it to someone who is. 

“Need access to Company X? No problem, we have a guy who can get the helpdesk to reset the CTO’s password for $500.” That’s where this is headed. Social engineering as a subscription service. 

4. AI + automation = scale 

 Imagine a world where: 

• AI writes 100 custom social engineering scripts per day. 
• Cloned voices call 50 companies an hour. 
• Bots warm up service agents via chat for days or even weeks before launching the attack.

That’s not sci-fi, that’s where we are in 2025. We’re heading into a future where every service desk interaction might be an attack vector, and the tools to launch those attacks are getting cheaper, smarter, and harder to detect. 

Darren: So, you’re saying the threat isn’t just that people will get tricked — it’s that social engineering is becoming a fully scalable industry? 

Mikael: Exactly. What phishing did to email, voice-based SE will do to service desks. Unless we change how we train, verify, and empower those frontline defenders. We’re not ready. 

What can organizations do to secure their service desk?

Darren: Okay, so how do we fight this? What can companies actually do to protect themselves without shutting down the service desk completely? 

Mikael: That’s the good news: you don’t need to close your service desk. You just need to transform it from a help centre into a secure front line. There’s absolutely hope. Most of these attacks succeed not because service desk staff are incompetent, but because they haven’t been given the training, permission, or tooling to defend themselves effectively. 

Here’s what I recommend. Practical, real-world steps that every organization can start with: 

1. Train with realism 

Not PowerPoints. Actual phone simulations. Roleplay. Stress drills. Train agents to hear red flags in real-time, and to trust their instincts when something feels off. 

2. Implement zero trust playbooks 

Make it standard: no reset, no MFA removal, no access change unless: 

• Two independent factors are verified, and 
• There’s a clear audit trail. 

No one should be able to sweet-talk their way around this. 

3. Log everything 

Everything the service desk does should be traceable:

• Who called. 
• Who approved. 
• What was changed. 

That way, if something goes wrong, you can act fast and prove what happened. 

4. Limit access scope 

Your service desk shouldn’t be able to reset the CEO’s password. Or bypass MFA for your cloud security architect. Use role-based access control (even internally) and segment high-risk accounts. 

5. Empower your agents to say “no” 

This is a cultural shift. Agents must know that it’s okay to challenge, to escalate, and to delay — even if the person on the line sounds senior or angry. Your people can’t protect your systems if they’re afraid to say no. Give them air cover and back them up. 

6. Simulate social engineering attacks regularly 

You test phishing with emails, so do the same with phone and chat. Make it part of your red team exercises or tabletop scenarios. Not to punish agents, but to build their confidence. 

7. Invest in better identity validation tools 

Don’t rely on voice or caller ID. Use layered verification like: 

• Secure callbacks
• Identity apps
• Multi-channel challenge-response
• Self Service Password Reset (SSPR) systems like Specops uReset, where users have to collect multiple “identity points” (e.g. 3 stars) to reset their credentials
• User Verification systems for any other reason they contact the service desk, such as Specops Secure Service Desk

Darren: So, the solution isn’t fewer service desk calls, it’s smarter service desk calls? 

Mikael: Exactly. You don’t win this by closing the doors. You win it by making the humans in your frontline stronger than the AI in theirs. 

Darren: That’s a perfect place to end. Mikael, thank you. Any final words? 

Mikael: Yes. Social engineering works because people care and want to help. The service desk doesn’t have to be your weakest link; they’re your first line of defense. Train them, equip them, and trust them. That’s how you stay secure and stay human. 

Protect your service desk agents from social engineering

Specops Secure Service Desk can help mitigate social engineering attacks by adding identity verification steps to all password reset and account unlock requests. By requiring callers to verify their identity using MFA, directory attributes, or custom challenge questions, the product ensures that only legitimate users can access support, even if an attacker knows their name, role, or internal lingo. It also provides audit trails and granular control over who can reset what, reducing the chance of privilege misuse or impersonation.

Protect your front line. See how Specops Secure Service Desk can harden your help desk against attacks. Try for free today.