CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Social Engineering Attacks Targeting MFA and Help Desks

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Threat actors are increasingly using social engineering tactics to bypass traditional security measures. They target help desks to gain unauthorized access to networks through MFA resets and password overrides. This approach exploits human vulnerabilities and organizational weaknesses, bypassing technical defenses. The FBI has highlighted groups like Scattered Spider as prominent actors in these campaigns. In August 2023, Scattered Spider targeted Clorox, resulting in approximately $380 million in damages. The attack involved repeated phone calls to the service desk, obtaining resets without meaningful verification, and quickly gaining domain-admin access. The incident underscores the need for robust verification processes and effective communication between help desks and security teams. Organizations must rethink their help desk operations and training to mitigate these risks. Frontline staff need to recognize red flags and escalate suspicious requests. Cultural changes are necessary to prioritize security over speed, and ongoing, relevant training is essential. Effective communication between help desks and security teams can enhance detection and response to social engineering attempts.

Timeline

  1. 21.08.2025 17:00 πŸ“° 2 articles

    FBI Alerts on Social Engineering Attacks Targeting Help Desks

    Recent alerts from the FBI have emphasized the increasing use of social engineering tactics by threat actors, particularly groups like Scattered Spider. These attacks target help desks to gain unauthorized access through MFA resets and password overrides. Organizations are advised to rethink their help desk operations, implement robust training, and foster a culture that prioritizes security over speed. Effective communication between help desks and security teams is essential for enhancing detection and response to these threats. In August 2023, Scattered Spider targeted Clorox, resulting in approximately $380 million in damages. The attack involved repeated phone calls to the service desk, obtaining resets without meaningful verification, and quickly gaining domain-admin access. The incident underscores the need for robust verification processes and effective communication between help desks and security teams.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign

The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.

Open in new tab

Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns

Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.

Open in new tab

Wealthsimple data breach exposes personal information of less than 1% of customers

Wealthsimple, a Canadian financial services firm, disclosed a data breach affecting less than 1% of its customers. Attackers accessed personal data, including contact details, government IDs, financial details, and Social Insurance Numbers. The breach occurred due to a compromised third-party software package. Wealthsimple confirmed that no funds were stolen and that customer accounts remain secure. The incident was detected on August 30, 2025. Affected customers are being offered two years of complimentary credit monitoring, dark-web monitoring, identity theft protection, and insurance. Wealthsimple advised customers to enable two-factor authentication (2FA) and remain vigilant against phishing attempts. The firm clarified that the breach is not related to the recent Salesforce data theft campaign.

Open in new tab

Ransomware Attacks on U.S. State and Local Governments Escalate Amid Federal Budget Cuts

State and local governments in the U.S. are facing increased ransomware attacks, exacerbated by federal budget cuts and reduced support from federal agencies. Recent high-profile incidents include attacks on Nevada and St. Paul, Minn., highlighting vulnerabilities due to limited resources and expertise. The attacks underscore the need for enhanced cybersecurity measures and federal aid to protect critical infrastructure. The attacks on Nevada and St. Paul are part of a broader trend targeting smaller government entities, which often lack the resources and expertise to defend against sophisticated cyber threats. Federal budget cuts have further weakened these entities, making them more susceptible to attacks. The incidents have led to service outages and data theft, emphasizing the need for improved cybersecurity practices and federal support.

Open in new tab

Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957

A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and private cloud editions of SAP S/4HANA. The exploit can result in unauthorized modification of the SAP database, creation of superuser accounts, and theft of password hashes. Organizations are advised to apply patches immediately and monitor for suspicious activity. The vulnerability was fixed by the vendor on August 11, 2025, but several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and even assisted in the development of a patch. SecurityBridge and Pathlock have confirmed active exploitation of the vulnerability. The patch for CVE-2025-42957 is relatively easy to reverse engineer, and successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Organizations are urged to implement additional security measures, such as SAP's Unified Connectivity framework (UCON), to restrict RFC usage and monitor logs for suspicious activity.

Open in new tab