Vishing → helpdesk MFA reset → account takeover

§ Context

Assumed environment: target's helpdesk handles MFA resets over phone with weak identity proofing (no callback, no manager approval). Attacker has open-source PII from LinkedIn / breaches.

§ Steps

1. 01
   Authenticate to corporate portalInitial Access

   T1078— Valid Accounts
2. 02
   Register attacker MFA devicePersistence

   T1098— Account Manipulation
3. 03
   Collect PII (LinkedIn, Hunter, breaches)Reconnaissance

   W-RECON-GITHUB-DORK— GitHub / GitLab Dorking
4. 04
   Call helpdesk, vishing pretextInitial Access

   SE-VISHING— Vishing (Voice Phishing)
5. 05
   Spoof internal phone number / caller IDInitial Access

   SE-PRETEXT— Pretexting
6. 06
   Convince agent to reset MFACredential Access

   SE-HELPDESK-RESET— Helpdesk Social Engineering — MFA / Password Reset

§ References

• T1078Valid Accounts
• T1098Account Manipulation

§ Frequently asked

What is the "Vishing → helpdesk MFA reset → account takeover" attack path?

Pose as a panicked employee locked out before a meeting. Helpdesk resets MFA based on partial PII (employee ID + date of birth from LinkedIn). Attacker registers their own factor. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Authenticate to corporate portal (T1078) — a initial access primitive. Assumed environment: target's helpdesk handles MFA resets over phone with weak identity proofing (no callback, no manager approval).

What is the final impact of this kill-chain?

The final step lands on Convince agent to reset MFA (SE-HELPDESK-RESET), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques4

  Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)

  Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  Apple Pay Express Transit relay → high-value contactless fraud

  Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.

• Shared techniques2

  Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

  Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.

• Shared techniques2

  Build-system implant → signed supply-chain backdoor (SolarWinds-class)

  Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.

• Shared techniques2

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.