The customer-portfolio programme work on help-desk-process strengthening that the post-MGM/Caesars Scattered Spider activity (September 2023) and the post-M&S, post-Co-op, post-Harrods UK-retail wave (April-May 2025) have catalysed has been continuous through the past 18 months. The discipline is now operationally central to the customer-organisation perimeter posture in ways that previous customer-organisation conversations had not framed it. I want to write the substantive post on the discipline before the next iteration of the threat-actor pattern produces new material.
The structural framing. The post-cloud-native, post-zero-trust customer-organisation perimeter is increasingly identity-as-perimeter — the customer-organisation defensive posture rests substantively on the integrity of the identity-and-access-management infrastructure. The identity-and-access-management infrastructure depends, in operational practice, on a small number of human-administered processes for credential issuance, MFA enrolment, password reset, and account recovery. Those processes are, by operational necessity, conducted by help-desk and IT-support staff working from human-readable verification procedures. The compromise-vector of those procedures is the integrity of the human verification — which has been, on the cumulative threat-actor evidence, substantively exploitable through social-engineering against under-trained or under-supported help-desk staff.
The substantive defensive disciplines. First, identity-verification procedures that operate beyond name-and-employee-number verification. Pre-arranged out-of-band verification through known-good communication channels (manager call-back to known phone numbers, in-person verification at office locations, identity-document presentation at established physical sites). The cost of the more-rigorous procedures is real — additional time-per-help-desk-interaction, additional friction for legitimate users — but the cost is bounded and the operational benefit is substantial.
Second, manager-approval requirements for elevated-privilege account changes. The MFA-reset-against-compromised-employee pattern that the Scattered Spider campaigns have exploited requires the help-desk to perform an elevated-privilege change against an account on the basis of a single help-desk-interaction. The discipline of requiring manager-side approval for such changes — verified through an out-of-band channel back to the named manager-of-record — substantially raises the social-engineering complexity required to execute the pattern.
Third, phishing-resistant MFA on the help-desk-staff own administrative access. The help-desk-staff accounts that have administrative access to the customer-organisation identity-and-access-management infrastructure are themselves a target population for the same social-engineering pattern. The customer-organisation programme work on FIDO2-hardware-token deployment to help-desk-staff has been, in 2024-2025, the operationally substantive defensive posture.
Fourth, behavioural-monitoring of help-desk-administrative-action patterns. The post-compromise activity that follows successful social-engineering against help-desk processes typically produces behavioural anomalies — bulk MFA-resets, unusual hours-of-activity, unfamiliar source-IP-address patterns, rapid escalation between accounts. The detection content that surfaces these anomalies to the SOC is operationally tractable and is now standard across customer-portfolio EmilyAI deployments.
Fifth, sustained help-desk-staff training against the specific social-engineering techniques that the cluster-activity has documented. The training is operationally cheap; the awareness benefit is substantial. The customer-portfolio programme work has been incorporating quarterly help-desk-staff training-and-exercise cycles as the routine operational practice.
The wider strategic point. The post-MGM/Caesars and post-M&S environment has demonstrated that help-desk processes are, in 2025, structurally critical to customer-organisation defensive posture. The customer-organisation programme work that addresses the discipline produces measurable operational benefit. The customer organisations that under-invest in the discipline are exposed to a category of compromise that the broader cyber-defensive disciplines do not adequately address.
I will write more on this as the customer-organisation programme work continues to develop. The help-desk-process discipline is going to be a substantive customer-portfolio strategic theme through the rest of 2025 and beyond.