TL;DR: Vishing attacks jumped 449% in 2025 and are being used to drive password resets, MFA changes, token theft, and service-account creation that can reach Active Directory within hours, according to Commvault. The real problem is not only initial access but the combination of human trust abuse, NHI sprawl, and slow recovery that lets attackers consolidate control.
NHIMG editorial — based on content published by Commvault: Key Takeaways on help desk social engineering, NHI blind spots, and Active Directory compromise
By the numbers:
- Voice phishing attacks jumped 449% in 2025.
- Recent research shows that 67% of incidents now involve identity-related compromise.
- Non-human identities now outnumber human users 144 to 1.
Questions worth separating out
Q: What breaks when help desk vishing is used to start an identity compromise?
A: The break is in the trust model.
Q: Why do non-human identities make identity attacks harder to contain?
A: NHIs extend the attack beyond the first account.
Q: How should security teams handle Active Directory as an attack target?
A: Treat Active Directory as a Tier 0 control plane and monitor it as such.
Practitioner guidance
- Correlate help desk events with identity mutations Require alerting when a password reset, MFA change, or account recovery is followed by service-account creation, token issuance, or privileged group membership changes within the same workflow.
- Inventory machine identities created after human support actions Track service accounts, OAuth grants, API keys, and other NHIs that appear shortly after support interventions, then classify which ones can reach AD or other Tier 0 systems.
- Harden AD as a Tier 0 trust asset Review group policy rights, legacy protocol exposure, inactive accounts, and admin delegation paths with the assumption that AD compromise will be attempted through identity workflows rather than malware.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for auditing help desk interactions against account and token creation events.
- Recovery-first guidance for rolling back malicious Active Directory changes before they spread.
- Operational discussion of how to treat service accounts and OAuth tokens as part of the incident path.
- Practical examples of identity resilience actions that reduce the time attackers can stay hidden.
👉 Read Commvault's analysis of help desk vishing, AD compromise, and NHI risk →
Help desk vishing and AD compromise: what identity teams need now?
Explore further
Help desk trust is now an attack surface, not a support convenience. The article shows that identity compromise can start with a single approved-seeming reset and still end in domain-level impact. That changes the security meaning of service desk work: it is no longer administrative back-office activity, it is part of the access control plane. Practitioners should treat help desk procedures as enforceable identity controls, not soft operational workflows.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
A question worth separating out:
Q: Who is accountable when a support reset leads to privileged access abuse?
A: Accountability sits with the identity and support governance owners together, because the failure spans both workflow authorization and downstream access control. If a reset can create durable privilege without rapid verification, the organisation has allowed operational convenience to override identity assurance. That is an IAM and governance issue, not only a service desk issue.
👉 Read our full editorial: Help desk vishing is accelerating identity compromise through AD