Start with Identity
Subscribe
Breach teardown · MGM Resorts, Caesars, and others

Scattered Spider and the help desk: social engineering the identity reset

Affected: MGM Resorts, Caesars, and othersDisclosed: 2023-09Root cause: Help-desk social engineering to reset credentials and MFA

What happened

The group known as Scattered Spider ran a series of high-profile intrusions, including the 2023 attacks on MGM Resorts and Caesars Entertainment. A signature technique was calling the IT help desk, impersonating an employee, and persuading an agent to reset the target's password or enroll a new MFA device. With the reset done, the attacker held legitimate, fully authenticated access.

Root cause

Help-desk identity verification was weak. Agents reset credentials and MFA based on information an attacker could research or phish (employee ID, manager name, basic personal details). The recovery and enrollment path, not the login, was the soft spot.

The identity lesson

Attackers target the weakest step in the identity lifecycle, and that is usually account recovery and MFA enrollment, not primary authentication. Strong login does not help if anyone who sounds convincing can have credentials reset over the phone.

How to defend

  • Harden help-desk verification: require strong, hard-to-phish proof of identity before any reset, such as a manager approval or an in-person or video check for sensitive roles.
  • Use phishing-resistant MFA and make re-enrollment a high-assurance event, not a casual one.
  • Limit who can perform resets, log and alert on them, and add a delay or secondary approval for privileged accounts.
  • Watch for the pattern: reset followed immediately by login from a new device or location (ITDR).

Related

Vendors: ITDR, MFA, PAM. Glossary: account takeover, phishing-resistant MFA.

Compiled from public disclosures and incident reporting; see the linked sources. Independent, community-driven analysis, not a statement of fact about any party. See the disclaimer.