Service Desk Social Engineering Enables Enterprise Account Compromise via Password Reset

First reported

23.04.2026 17:10

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Threat actors impersonated a Marks & Spencer (M&S) employee to a third-party service desk in April 2025, convincing agents to perform a password reset that bypassed multi-factor authentication (MFA). This granted initial access, enabling subsequent Active Directory credential theft, lateral movement, and ransomware deployment that disrupted national operations for five days, resulting in estimated daily losses of £3.8 million ($5.1 million).

Timeline

23.04.2026 17:10 1 articles · 1h ago

M&S Enterprise Compromise Initiated via Third-Party Service Desk Password Reset
In April 2025, attackers impersonated an M&S employee to a third-party service desk, requesting a password reset that bypassed MFA and provided initial access. This enabled credential theft from Active Directory’s NTDS.dit file, offline hash cracking, lateral movement, and eventual ransomware deployment that disrupted national operations.
Show sources

Regular Password Resets Aren’t as Safe as You Think — www.bleepingcomputer.com — 23.04.2026 17:10
Open in new tab

Information Snippets

Initial access occurred via a social engineering call to a third-party service desk, where attackers convinced agents to reset a legitimate employee’s password, bypassing MFA.
First reported: 23.04.2026 17:10

1 source, 1 article
Show sources
- Regular Password Resets Aren’t as Safe as You Think — www.bleepingcomputer.com — 23.04.2026 17:10
Post-compromise, attackers extracted the NTDS.dit file from Active Directory to obtain password hashes for all domain users.
First reported: 23.04.2026 17:10

1 source, 1 article
Show sources
- Regular Password Resets Aren’t as Safe as You Think — www.bleepingcomputer.com — 23.04.2026 17:10
Attackers cracked the NTDS.dit hashes offline to recover additional credentials, enabling privilege escalation and lateral movement.
First reported: 23.04.2026 17:10

1 source, 1 article
Show sources
- Regular Password Resets Aren’t as Safe as You Think — www.bleepingcomputer.com — 23.04.2026 17:10
Ransomware was deployed after several weeks of escalating access, encrypting systems supporting payments, e-commerce, and logistics, forcing M&S to suspend online sales.
First reported: 23.04.2026 17:10

1 source, 1 article
Show sources
- Regular Password Resets Aren’t as Safe as You Think — www.bleepingcomputer.com — 23.04.2026 17:10
The threat actor group Scattered Spider has been linked to this intrusion.
First reported: 23.04.2026 17:10

1 source, 1 article
Show sources
- Regular Password Resets Aren’t as Safe as You Think — www.bleepingcomputer.com — 23.04.2026 17:10
A single password reset request processed without rigorous identity verification was sufficient to enable full enterprise compromise.
First reported: 23.04.2026 17:10

1 source, 1 article
Show sources
- Regular Password Resets Aren’t as Safe as You Think — www.bleepingcomputer.com — 23.04.2026 17:10

Summary

Timeline

M&S Enterprise Compromise Initiated via Third-Party Service Desk Password Reset

Information Snippets