In September 2023, MGM Resorts and Caesars Entertainment both got owned by the same threat group inside of ten days. Caesars paid a ransom that reporting later put at around $15 million. MGM refused to pay, took their systems offline, and disclosed to the SEC that the incident would cost them more than $100 million in Q3 alone. Guests stuck in hotel rooms with dead keycards. Slot machines frozen. Booking systems down for days.
Both breaches started with a phone call to the IT helpdesk.
The attacker didn’t exploit a zero-day vulnerability. They didn’t run any exotic malware. They called the helpdesk, pretended to be an employee who’d been locked out, and asked for a password reset. The helpdesk reset the password and handed it over. That was the breach.
This works because helpdesks are built to help
Think about how a typical IT helpdesk is set up at a firm. The team is measured on ticket resolution time, customer satisfaction scores, and call volume. An employee calls saying they can’t log in. The helpdesk’s job is to get them logged in, fast, because an employee who can’t work is a problem. There’s a verification process on paper that everybody’s supposed to follow. In practice, the verification often amounts to confirming the employee’s name and maybe their employee ID.
Now imagine the same scenario. A caller says they’re Sarah from accounting. They say they lost their phone. They say their MFA isn’t working because of the lost phone. They need a password reset and an MFA reset so they can get back into email before a morning deadline. They sound stressed, normal-stressed, the way anyone who can’t log in on a deadline sounds.
The helpdesk rep looks up Sarah. Sarah exists. The caller knows her department, her manager’s name, what project she’s working on, and when she joined. All of that information is publicly available on LinkedIn. The rep confirms the employee ID, which the caller also has. The rep resets the password and the MFA. The caller thanks them and hangs up.
The caller wasn’t Sarah. Sarah is at her desk, working. The attacker has just been handed the keys to her account, with MFA enrolled on a device the attacker controls.
This is what Scattered Spider, the group behind the MGM attack, does routinely. CISA and the FBI published a joint advisory in 2023 describing exactly this playbook. They target the helpdesk because the helpdesk is the weakest link in any identity system. You can have the best technology in the world and a helpdesk rep who resets passwords over the phone for anyone who sounds confident.
What stops it
The fix is a verification protocol that doesn’t rely on information the caller can look up.
The right pattern is multi-channel verification. When an employee calls asking for a password or MFA reset, the helpdesk doesn’t just verify on the call. They initiate a second channel back to the employee. They text the employee’s manager and confirm. They call the employee’s desk phone if there is one. They send a Teams message to the employee and wait for a response through that channel. If the caller can’t be reached on a channel the attacker doesn’t control, the reset doesn’t happen.
Some firms go further. Any password or MFA reset requires the employee to physically appear at a designated location. Yes, that’s a pain. It’s also impossible to social engineer from a phone.
The most effective small-firm pattern is the challenge question. Not the useless ones about your first pet. A challenge question whose answer is not on LinkedIn and which only the actual employee would know because it’s based on something internal to the firm. Something like “what’s the conference room you had your last team meeting in.” Something that changes and doesn’t appear in any public record.
For professional services firms running with a smaller IT team, even simpler rules work. No password resets or MFA resets happen on the same call where they’re requested. Every request gets verified through a callback to the employee’s known phone number (from HR records, not the caller’s claim). The delay is measured in minutes. It’s survivable. What’s not survivable is handing your Microsoft 365 tenant to someone who sounded convincing.
Scattered Spider didn’t invent this. Kevin Mitnick wrote a whole book in 2002 about how to talk people out of information they shouldn’t share. The techniques haven’t changed. The attack surface has just gotten bigger, because every firm now has an IT helpdesk and every helpdesk still resets passwords on voice calls.
The MGM breach cost them a hundred million dollars. The fix is a verification procedure and the discipline to follow it when the caller sounds legitimate. That’s what it took. That’s still what it takes.