Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Vishing, OAuth tokens, and service accounts: where identity controls fail


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10158
Topic starter  

TL;DR: Vishing calls rose 449% in 2025 as organised groups industrialised help-desk impersonation, then pivoted from compromised human accounts to persistent machine identities such as OAuth tokens and service accounts, according to Commvault. The governance failure is not just initial access but the lack of lifecycle, visibility, and rollback control over NHIs once attackers move into the machine layer.

NHIMG editorial — based on content published by Commvault: vishing attacks, machine identity persistence, and identity resilience

By the numbers:

Questions worth separating out

Q: What breaks when help desk compromise is not linked to NHI governance?

A: The response process stops at the human account, while attackers move persistence into OAuth tokens, service accounts, and other machine identities.

Q: Why do vishing attacks so often lead to long-lived access?

A: Because help desk resets can create new access paths faster than teams can observe them, and the resulting machine identities do not behave like employee logins.

Q: How can security teams tell whether identity resilience is actually working?

A: Look for evidence that unauthorized privilege changes are detected, contained, and rolled back before persistence is established.

Practitioner guidance

  • Correlate help desk actions with identity state changes Flag password resets, MFA resets, and account recovery events when they are immediately followed by new token creation, service account provisioning, or privilege escalation.
  • Inventory and classify all NHIs touched by user recovery workflows Map which recovery processes can create or modify OAuth tokens, API keys, service accounts, and administrative machine identities.
  • Separate human remediation from NHI remediation When a human account compromise is confirmed, run a second workstream for non-human identities that may have been minted, inherited, or exposed during the attack.

What's in the full article

Commvault's full article covers the operational detail this post intentionally leaves for the source:

  • The help desk fraud pattern and the specific callback, verification, and out-of-band checks the vendor recommends.
  • The identity resilience workflow for detecting and rolling back unauthorized privilege changes after a vishing event.
  • The practical correlation signals between MFA resets, token creation, and machine identity escalation.
  • The vendor's framing of machine identities as Tier 0 assets and the associated response sequence.

👉 Read Commvault's analysis of vishing-driven identity compromise and NHI persistence →

Vishing, OAuth tokens, and service accounts: where identity controls fail?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9713
 

Voice phishing has become an identity control problem, not just a fraud problem. The article shows that industrialised vishing is no longer aimed at the data directly. It is aimed at the people and processes that can create, reset, or expand identity state. That shifts the centre of gravity from awareness training alone to governance over the identity actions that follow a successful call. Practitioners need to treat help desk activity as part of the identity attack surface.

A few things that frame the scale:

  • Fewer than 25% of organizations have formal policies for creating or decommissioning NHIs, according to The State of Non-Human Identity Security.
  • Our research also found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which explains why delegated access so often escapes review.

A question worth separating out:

Q: Who is accountable when a help desk reset is abused to create machine identity persistence?

A: Accountability spans IAM, help desk operations, and the teams that own NHIs. If password reset workflows can create or expose machine credentials, then the governance boundary is shared. The practical answer is clear ownership for recovery actions, plus auditability for every token, service account, and administrative privilege change.

👉 Read our full editorial: Vishing is exposing the blind spot in machine identity governance



   
ReplyQuote
Share: