TL;DR: Vishing attacks jumped 449% in 2025 and are being used to drive password resets, MFA changes, token theft, and service-account creation that can reach Active Directory within hours, according to Commvault. The real problem is not only initial access but the combination of human trust abuse, NHI sprawl, and slow recovery that lets attackers consolidate control.
At a glance
What this is: This is Commvault’s analysis of how help desk vishing, Active Directory abuse, and non-human identity sprawl combine into a fast identity compromise path.
Why it matters: It matters because IAM teams have to govern both human-assisted entry points and machine identities, or attackers will keep moving from a single reset to domain-wide impact.
By the numbers:
- Voice phishing attacks jumped 449% in 2025.
- Recent research shows that 67% of incidents now involve identity-related compromise.
- Non-human identities now outnumber human users 144 to 1.
👉 Read Commvault's analysis of help desk vishing, AD compromise, and NHI risk
Context
Help desk vishing is a social engineering path that turns trusted support workflows into an identity compromise entry point. In this article’s framing, the key issue is not a single phishing email but the speed at which a reset, MFA change, or token event can become broader identity control.
Active Directory remains central because it concentrates authentication, policy, and trust across the enterprise. When that control plane is reached through compromised human access and unmanaged non-human identities, the attacker’s path shortens from initial access to domain-level influence far faster than many IAM programmes assume.
Key questions
Q: What breaks when help desk vishing is used to start an identity compromise?
A: The break is in the trust model. Help desks are built to restore access quickly, so a convincing caller can trigger resets, MFA changes, or recovery actions that look legitimate. When those actions are not immediately correlated with downstream identity changes, the attacker turns support into a sanctioned entry point for broader compromise.
Q: Why do non-human identities make identity attacks harder to contain?
A: NHIs extend the attack beyond the first account. Tokens, service accounts, and API keys can preserve access after the original human credential is changed, which means the attacker can keep moving even when the first login is blocked. The containment problem is that machine credentials often outlive the event that exposed them.
Q: How should security teams handle Active Directory as an attack target?
A: Treat Active Directory as a Tier 0 control plane and monitor it as such. That means auditing privileged changes, disabling unused accounts, reviewing legacy protocols, and correlating directory events with help desk activity. If AD is governed like ordinary infrastructure, attackers can convert a small identity foothold into broad domain influence.
Q: Who is accountable when a support reset leads to privileged access abuse?
A: Accountability sits with the identity and support governance owners together, because the failure spans both workflow authorization and downstream access control. If a reset can create durable privilege without rapid verification, the organisation has allowed operational convenience to override identity assurance. That is an IAM and governance issue, not only a service desk issue.
Technical breakdown
Why help desk vishing works against identity processes
Vishing succeeds because help desk workflows are designed to restore access quickly, not to resist adversarial social engineering. A caller can trigger password resets, MFA changes, or account recovery actions that look legitimate in isolation but become dangerous when chained together. The article describes attackers using the help desk as an identity insertion point, then pivoting into cloud and virtualised environments. The failure is procedural: the support process often treats user convenience as the default control, while the attacker treats it as the shortest path into the identity plane.
Practical implication: Treat help desk actions as security events and require correlation against subsequent identity changes.
How non-human identities expand the blast radius
Once attackers obtain a foothold, service accounts, API keys, OAuth tokens, and other NHIs become the continuity layer for movement and persistence. These identities are machine-used, often over-shared, and frequently under-audited, which makes them ideal for hiding in plain sight. The article’s point is that a compromised human account rarely stays human for long. Attackers use it to create or abuse machine credentials, then rely on those credentials to move laterally without reusing the original login path.
Practical implication: Inventory, classify, and continuously review machine identities that can be created or modified after help desk activity.
Why Active Directory becomes the consolidation point
Active Directory is the central identity control plane in many environments, so a compromise there has disproportionate reach. The article notes that attackers can exploit common misconfigurations, legacy protocols, and inherited trust relationships to disable controls or expand privileges. Once they are inside AD, they no longer need exotic malware or noisy intrusion techniques. They can operate through normal identity mechanisms, which is why prevention alone misses the operational reality of modern identity attacks.
Practical implication: Treat AD changes, especially group policy and admin-account creation, as Tier 0 events requiring immediate review.
Threat narrative
Attacker objective: The attacker aims to convert a single trusted support interaction into durable control over identity infrastructure, especially Active Directory and the machine identities connected to it.
- Entry begins with vishing against the help desk, where the attacker induces a password reset or MFA change and gains a trusted identity foothold.
- Escalation follows through cloud and virtualised environments as the attacker harvests OAuth tokens, creates administrative service accounts, and abuses machine-layer credentials.
- Impact occurs when the attacker reaches Active Directory control, weaponises trust relationships, and slows recovery long enough to preserve domain-wide access.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Help desk trust is now an attack surface, not a support convenience. The article shows that identity compromise can start with a single approved-seeming reset and still end in domain-level impact. That changes the security meaning of service desk work: it is no longer administrative back-office activity, it is part of the access control plane. Practitioners should treat help desk procedures as enforceable identity controls, not soft operational workflows.
Non-human identity sprawl has become an identity continuity problem. The move from a compromised human account into tokens, OAuth grants, and service accounts shows that attackers are following the path of least resistance across identity types. OWASP-NHI and NIST CSF both become relevant here because the blast radius is determined by how quickly machine credentials can be discovered, abused, and left active. The practical conclusion is that NHI governance cannot sit outside mainstream IAM.
Tier 0 identity resilience now requires recovery, not just prevention. The article is clear that attackers can move from human compromise to AD influence fast enough to avoid detection in conventional control stacks. That means identity programmes built only around denial, alerting, and periodic review are incomplete. Security leaders need a recovery assumption that identity compromise will happen and that the programme must restore trust faster than attackers can consolidate it.
Standing trust in support workflows is a named governance gap: it was designed for human-paced validation, and it fails when attackers can chain support, token, and service-account changes into one session. This is the assumption collapse behind the article. The implication is not merely to add more checks, but to rethink which identity events are allowed to create durable access without immediate independent verification.
Identity-related compromise is now a control-plane issue, not a perimeter issue. The article’s emphasis on AD, machine identities, and fast lateral movement shows that the decisive asset is the trust fabric itself. When that fabric is weak, endpoint and email controls only slow the attacker; they do not meaningfully reassert authority over the identity plane. Practitioners should prioritise governance where trust is issued, not where it is finally consumed.
From our research:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
- NHI Lifecycle Management Guide is the right next read for teams translating offboarding findings into lifecycle controls.
What this signals
Token persistence is the quiet enabler behind many identity incidents. When support-driven compromise can lead to machine credentials that remain active long after the original event, the programme gap is lifecycle governance, not just detection. The question is no longer whether you can spot a reset, but whether you can prove that every downstream token and service account was rotated or revoked before the attacker used it again.
Identity recovery has to be designed as a control objective. A directory or token estate that can be changed faster than it can be restored is an unstable trust system. Teams should watch for the point where directory rollback, privilege revocation, and account validation become separate incident tasks rather than one coordinated response.
A practical signal of maturity is whether the team can link help desk activity, directory change events, and machine identity creation in the same investigation path. Without that linkage, attackers can keep moving through normal workflows while defenders see only isolated administrative actions.
For practitioners
- Correlate help desk events with identity mutations Require alerting when a password reset, MFA change, or account recovery is followed by service-account creation, token issuance, or privileged group membership changes within the same workflow.
- Inventory machine identities created after human support actions Track service accounts, OAuth grants, API keys, and other NHIs that appear shortly after support interventions, then classify which ones can reach AD or other Tier 0 systems.
- Harden AD as a Tier 0 trust asset Review group policy rights, legacy protocol exposure, inactive accounts, and admin delegation paths with the assumption that AD compromise will be attempted through identity workflows rather than malware.
- Add recovery objectives to identity governance Define rollback and restoration runbooks for directory changes so the team can reverse malicious privilege escalation before attacker-made changes become the new normal.
Key takeaways
- Help desk social engineering now acts as a primary identity compromise path, not a peripheral nuisance.
- Machine identities and stale tokens extend attacker reach well beyond the first reset or MFA change.
- Identity resilience depends on rapid detection and rollback of directory and credential changes, not prevention alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI sprawl, token exposure, and lifecycle gaps are central to this article. |
| NIST CSF 2.0 | PR.AC-4 | The article centres on access control and privilege changes after social engineering. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential and authenticator management is implicated by resets, MFA changes, and token abuse. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0004 , Privilege Escalation | The article describes credential theft followed by movement and escalation. |
Apply IA-5 to ensure resets, tokens, and account credentials are issued and revoked under strict governance.
Key terms
- Help Desk Vishing: A social engineering attack that uses voice calls to persuade support staff to reset credentials or change authentication settings. In identity programmes, it is a control bypass technique that exploits trust in operational workflow rather than technical vulnerability.
- Non-Human Identity: A machine or software identity such as a service account, API key, token, certificate, or workload credential. It often has broad system reach, limited human oversight, and a lifecycle that can outlive the event that created it.
- Identity Resilience: The ability to detect, contain, reverse, and recover from identity compromise without waiting for a full rebuild. It combines governance, monitoring, rollback, and trust restoration so directory and credential abuse does not become prolonged business disruption.
- Tier 0 Asset: A system whose compromise would undermine the entire identity environment, such as Active Directory or a central authentication service. Protecting it means treating configuration, privilege, and recovery as critical controls rather than routine administration.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for auditing help desk interactions against account and token creation events.
- Recovery-first guidance for rolling back malicious Active Directory changes before they spread.
- Operational discussion of how to treat service accounts and OAuth tokens as part of the incident path.
- Practical examples of identity resilience actions that reduce the time attackers can stay hidden.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity governance programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org