MGM vishing and help desk bypass: what IAM teams missed

TL;DR: The MGM attack discussion frames vishing as a help desk compromise that can bypass MFA, expose reset workflows, and prolong recovery when identity proofing relies on static employee data, according to 1Kosmos. The case shows that authentication strength alone is not enough if support processes still trust information attackers can steal or infer.

NHIMG editorial — based on content published by 1Kosmos: MGM vishing attack discussion and identity proofing analysis

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams secure help desk password reset workflows?

A: Security teams should treat password reset as a privileged identity event.

Q: Why do MFA deployments still fail under vishing attacks?

A: MFA fails when attackers bypass the login path and use recovery workflows instead.

Q: What do organisations get wrong about identity proofing in the service desk?

A: Many organisations assume the help desk can safely validate identity using employee facts that are easy to research or steal.

Practitioner guidance

• Harden account recovery workflows Require stronger proofing for password resets, MFA rebinds, and account unlocks than for routine login.
• Eliminate knowledge-based verification Remove questions based on employee data, manager names, or other public facts from help desk authentication.
• Monitor support-triggered identity changes Alert on resets, factor enrolment, and contact detail changes initiated through the service desk, then correlate them with unusual sign-in locations or rapid privilege use.

What's in the full analysis

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• The vlog transcript on how vishing was used to manipulate a help desk into bypassing normal identity checks.
• The discussion of why MFA can be undermined when recovery workflows and authenticator re-enrolment are weak.
• The practical suggestions around who is behind the device and why that matters for identity proofing.
• The recovery and business continuity implications of a support-path identity compromise.

👉 Read 1Kosmos's analysis of the MGM vishing attack and help desk bypass →

MGM vishing and help desk bypass: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →