Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

MGM vishing and help desk bypass: what IAM teams missed


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: The MGM attack discussion frames vishing as a help desk compromise that can bypass MFA, expose reset workflows, and prolong recovery when identity proofing relies on static employee data, according to 1Kosmos. The case shows that authentication strength alone is not enough if support processes still trust information attackers can steal or infer.

NHIMG editorial — based on content published by 1Kosmos: MGM vishing attack discussion and identity proofing analysis

By the numbers:

Questions worth separating out

Q: How should security teams secure help desk password reset workflows?

A: Security teams should treat password reset as a privileged identity event.

Q: Why do MFA deployments still fail under vishing attacks?

A: MFA fails when attackers bypass the login path and use recovery workflows instead.

Q: What do organisations get wrong about identity proofing in the service desk?

A: Many organisations assume the help desk can safely validate identity using employee facts that are easy to research or steal.

Practitioner guidance

  • Harden account recovery workflows Require stronger proofing for password resets, MFA rebinds, and account unlocks than for routine login.
  • Eliminate knowledge-based verification Remove questions based on employee data, manager names, or other public facts from help desk authentication.
  • Monitor support-triggered identity changes Alert on resets, factor enrolment, and contact detail changes initiated through the service desk, then correlate them with unusual sign-in locations or rapid privilege use.

What's in the full analysis

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

  • The vlog transcript on how vishing was used to manipulate a help desk into bypassing normal identity checks.
  • The discussion of why MFA can be undermined when recovery workflows and authenticator re-enrolment are weak.
  • The practical suggestions around who is behind the device and why that matters for identity proofing.
  • The recovery and business continuity implications of a support-path identity compromise.

👉 Read 1Kosmos's analysis of the MGM vishing attack and help desk bypass →

MGM vishing and help desk bypass: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Help desk identity proofing is part of the authentication stack, not a secondary process. Organisations often design strong login controls and then leave recovery paths dependent on human judgement, static employee facts, or call-centre scripts. The MGM example shows that attackers do not need to beat every layer if one support path can still accept weak proof. That makes recovery governance a primary IAM control, not a service operation detail.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means many identity programmes still cannot see their own machine access surface.

A question worth separating out:

Q: Who is accountable when a support workflow enables account takeover?

A: Accountability sits with the identity and operations owners who define the recovery process, not only with the analyst who answers the call. Frameworks such as NIST CSF and zero trust place access governance and verification controls inside the security programme. If a reset path can be abused, the process itself is the control failure.

👉 Read our full editorial: MGM vishing shows help desk identity controls still fail



   
ReplyQuote
Share: