TL;DR: Vishing calls rose 449% in 2025 as organised groups industrialised help-desk impersonation, then pivoted from compromised human accounts to persistent machine identities such as OAuth tokens and service accounts, according to Commvault. The governance failure is not just initial access but the lack of lifecycle, visibility, and rollback control over NHIs once attackers move into the machine layer.
At a glance
What this is: This is an analysis of how industrialised vishing is used to gain human access and then convert that foothold into persistent machine identity compromise.
Why it matters: It matters because IAM, PAM, and NHI teams need to see the handoff from human compromise to machine-layer persistence as one attack path, not two separate incidents.
By the numbers:
- 449% in 2025.
- The service accounts, API keys, and OAuth tokens that now outnumber human users by 144 to 1.
- 25% of organizations have formal policies for creating, or creating or decommissioning NHIs.
👉 Read Commvault's analysis of vishing-driven identity compromise and NHI persistence
Context
Vishing is voice phishing, where an attacker uses a phone call to impersonate a trusted person and pressure help desk staff into resetting credentials or approving access. In this case, the real problem is not the call itself but the governance gap that lets a human access event become machine identity persistence, especially when OAuth tokens and service accounts are not lifecycle-managed.
That handoff matters to IAM and NHI programmes because the original human account is often the first thing remediated, while the machine identities created or abused during the intrusion survive much longer. If organizations cannot see, classify, or decommission those identities quickly, they are recovering the ticket and leaving the attacker’s foothold in place.
The starting point described here is unfortunately typical, not exceptional: social engineering creates the opening, and machine-layer identity sprawl turns it into durable access.
Key questions
Q: What breaks when help desk compromise is not linked to NHI governance?
A: The response process stops at the human account, while attackers move persistence into OAuth tokens, service accounts, and other machine identities. That leaves access alive after the obvious incident is closed. The failure is not only detection. It is the absence of a workflow that can inventory, revoke, and validate the machine identities created or touched during the compromise.
Q: Why do vishing attacks so often lead to long-lived access?
A: Because help desk resets can create new access paths faster than teams can observe them, and the resulting machine identities do not behave like employee logins. They may not trigger normal sign-in alerts, and they often survive the original user remediation. The risk increases when there is no formal lifecycle for those NHIs.
Q: How can security teams tell whether identity resilience is actually working?
A: Look for evidence that unauthorized privilege changes are detected, contained, and rolled back before persistence is established. A working programme can show which tokens were created, which service accounts were changed, and how quickly those states were returned to trusted values. If you can only see the alert, not the restoration, resilience is incomplete.
Q: Who is accountable when a help desk reset is abused to create machine identity persistence?
A: Accountability spans IAM, help desk operations, and the teams that own NHIs. If password reset workflows can create or expose machine credentials, then the governance boundary is shared. The practical answer is clear ownership for recovery actions, plus auditability for every token, service account, and administrative privilege change.
Technical breakdown
How help desk compromise becomes machine identity persistence
A vishing attack targets the human control point that can reset credentials, MFA, or access approvals. Once the help desk is persuaded, attackers do not need to stay on the original account. They can use that brief trust window to create or hijack OAuth tokens, service accounts, or administrative identities that operate outside normal human login monitoring. Those credentials are often non-interactive, which means they do not produce the same alert patterns as user sign-ins. The result is a transition from a visible human compromise to a quieter NHI foothold.
Practical implication: monitor help desk actions as identity events and correlate them with new token creation, account provisioning, and privilege changes.
Why NHI sprawl defeats standard remediation
Machine identities are harder to govern because they are numerous, long-lived, and often created for speed rather than control. If there is no formal lifecycle for creation, review, rotation, and decommissioning, those identities persist after the original incident is closed. Attackers exploit that gap by moving from the user account they phished to credentials that are not tied to an employee lifecycle and are rarely revisited. That is why machine-layer persistence often outlasts human-account cleanup.
Practical implication: treat NHI lifecycle as a core remediation workstream, not an afterthought to human account recovery.
What identity resilience means in practice
Identity resilience is the ability to detect suspicious identity changes and roll back unauthorized privilege states before they become the new baseline. In this threat pattern, the important event is not only password reset abuse, but the creation of new access paths that survive the incident response window. Resilience therefore depends on visibility into identity state, not just alerting on login failures. Without rollback capability, teams may know an attacker was present and still be unable to prove the environment has returned to a trusted identity state.
Practical implication: build rollback and verification into identity response so privilege changes can be reversed before persistence is established.
Threat narrative
Attacker objective: The attacker’s objective is durable access through machine identities that remain active after the compromised human account has been remediated.
- Entry begins with vishing against help desk staff, where the attacker impersonates a trusted employee and requests a password reset or similar access action.
- Escalation occurs when the attacker uses that human foothold to create, steal, or inherit OAuth tokens, service accounts, or administrative machine identities that are less visible to standard monitoring.
- Impact follows when the attacker maintains persistence through machine-layer credentials that survive user remediation and keep access alive beyond the original fraud call.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Voice phishing has become an identity control problem, not just a fraud problem. The article shows that industrialised vishing is no longer aimed at the data directly. It is aimed at the people and processes that can create, reset, or expand identity state. That shifts the centre of gravity from awareness training alone to governance over the identity actions that follow a successful call. Practitioners need to treat help desk activity as part of the identity attack surface.
Machine identity persistence is the real prize after human compromise. The attacker does not need the original user account for long if OAuth tokens, service accounts, and similar NHIs can be created or abused during the incident. This is where NHI governance becomes decisive: lifecycle gaps, weak rotation discipline, and missing decommissioning controls turn a contained human incident into lasting access. The practitioner conclusion is that human remediation without NHI cleanup is incomplete.
Formal NHI creation and decommissioning policy is now a baseline requirement. Fewer than 25% of organisations have such policies, while the machine identities they must govern massively outnumber human users. That is a structural mismatch, not a tooling inconvenience. The implication is that identity programmes built only around employee accounts are under-scoped for the modern attack path.
Identity resilience is a recovery discipline, not a monitoring feature. The article’s strongest claim is that readiness depends on detecting and rolling back unauthorized privilege changes before attackers establish persistence. That is a governance shift: response teams must be able to prove the identity environment has returned to a trusted state, not simply that an alert was raised. Practitioners should design for restoration of identity state, not only incident notification.
Identity blast radius grows when help desk workflows and NHI sprawl are unlinked. The attacker starts with a single call but ends with multiple machine-layer credentials that are difficult to inventory, review, and revoke. That expands the blast radius across systems that may not share human identity controls. The practical conclusion is to govern identity actions and machine identities as one chain of custody.
From our research:
- Fewer than 25% of organizations have formal policies for creating or decommissioning NHIs, according to The State of Non-Human Identity Security.
- Our research also found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which explains why delegated access so often escapes review.
- That visibility gap is why our 52 NHI Breaches Analysis is useful next reading for teams mapping persistence paths and revocation failure modes.
What this signals
Identity programmes that still treat help desk recovery as a purely human workflow will miss the machine-layer persistence that follows it. The practical shift is toward shared monitoring across IAM, PAM, and NHI controls so that recovery actions, token issuance, and privilege changes are analysed as one chain of custody. Teams that cannot connect those signals will see the incident, but not the lingering access path.
Ephemeral credential trust debt: organisations accumulate risk when short-lived access is issued faster than it is inventoried, reviewed, and revoked. That debt grows fastest in environments where service accounts, OAuth tokens, and administrative machine identities are created as part of ad hoc recovery. The programme response is to assume the attacker will look for the least visible credential, not the most powerful one.
The broader signal is that recovery capabilities now matter as much as preventive controls. Teams should watch for gaps in rollback, ownership, and decommissioning because those gaps determine whether a vishing event becomes a contained fraud case or a durable identity compromise.
For practitioners
- Correlate help desk actions with identity state changes Flag password resets, MFA resets, and account recovery events when they are immediately followed by new token creation, service account provisioning, or privilege escalation. This is the strongest signal that a social engineering call has become an identity compromise. Use the help desk event as an anchor for investigation, not as the end of the case.
- Inventory and classify all NHIs touched by user recovery workflows Map which recovery processes can create or modify OAuth tokens, API keys, service accounts, and administrative machine identities. Include owner, purpose, rotation status, and decommissioning path so that post-incident cleanup is not manual guesswork. Focus first on credentials created during human account recovery.
- Separate human remediation from NHI remediation When a human account compromise is confirmed, run a second workstream for non-human identities that may have been minted, inherited, or exposed during the attack. Revoke and validate machine credentials independently, because the attacker may no longer need the original user account to remain active.
- Build rollback into identity incident response Maintain the ability to revert unauthorised privilege changes, token issuance, and service account modifications to a known-good state. Identity recovery should verify that machine credentials have been restored or replaced, not just that the original human account is locked.
Key takeaways
- Vishing is no longer just a help desk scam, because it is now a scalable entry point into machine identity persistence.
- The evidence points to a structural governance gap: machine identities outnumber people, yet formal creation and decommissioning policies remain uncommon.
- Practitioners need identity resilience that can detect, validate, and roll back unauthorized privilege changes before attackers settle into NHIs.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centres on NHI creation, lifecycle, and rotation gaps. |
| NIST CSF 2.0 | PR.AC-4 | Identity and access permissions are the main control surface after the social engineering entry. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management covers the token and credential handling failures described here. |
| NIST Zero Trust (SP 800-207) | 3.1 | Zero trust assumptions are stressed when help desk actions can mint persistent access. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0003 , Persistence | The attack path moves from initial social engineering to credential abuse and persistent access. |
Bind identity actions to continuous verification and segment privileged recovery workflows from broad access grants.
Key terms
- Voice Phishing: Voice phishing is social engineering conducted over the phone to trick a person into revealing information or performing an action that grants access. In identity terms, it exploits trust in service workflows, especially help desks, to alter authentication state or approve recovery actions.
- Machine Identity: A machine identity is a non-human credential used by software, workloads, services, or automation to authenticate and obtain access. It includes service accounts, API keys, OAuth tokens, and certificates, and it must be governed across creation, scope, rotation, and decommissioning just like human access, but at machine speed.
- Identity Resilience: Identity resilience is the ability to detect, contain, verify, and roll back unauthorised identity changes. It goes beyond alerting by proving the environment has returned to a trusted state, which is essential when attackers move from visible human compromise into persistent non-human identities.
- Identity Blast Radius: Identity blast radius is the amount of access an attacker can reach once a single identity or workflow is compromised. In machine identity environments, it grows quickly when tokens, service accounts, and delegated access are over-provisioned or poorly revoked, turning one incident into multi-system exposure.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- The help desk fraud pattern and the specific callback, verification, and out-of-band checks the vendor recommends.
- The identity resilience workflow for detecting and rolling back unauthorized privilege changes after a vishing event.
- The practical correlation signals between MFA resets, token creation, and machine identity escalation.
- The vendor's framing of machine identities as Tier 0 assets and the associated response sequence.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org