The call that started everything
The detail about the M&S breach that sticks with me is not the ransomware or the £300 million in lost profit or the forty-six days of no online orders. It is the entry point. Someone called the third-party IT service desk that supported Marks & Spencer, impersonated a senior employee, answered the verification questions correctly, and convinced the agent to reset credentials. No malware, no exploit, no technical vulnerability. Just a phone call.
Everything after that, the lateral movement through Active Directory, the deployment of DragonForce ransomware, the operational shutdown that became the most expensive retail social engineering incident of the year, followed from a conversation that lasted a few minutes. M&S’s chairman described it as “sophisticated impersonation… they didn’t just walk up and say, ‘Will you change my password?’ They appeared as somebody with their details.” And that is the part worth paying attention to, because the sophistication was not in the call itself. It was in the preparation.
What the dark web provides
If you are wondering where the caller got the details that made it work, the answer is probably less surprising than it should be.
Our dark web monitoring consistently surfaces the raw material that makes help desk impersonation possible. Employee names and job titles scraped from LinkedIn and corporate directories. Email addresses and phone numbers from prior data breaches. Old credentials that establish familiarity with internal systems. Fragments of HR data, organizational charts, even help desk scripts and verification procedures are shared in underground forums and encrypted channels. None of these fragments is particularly dangerous on its own. Combined, they give an attacker everything they need to pass a standard verification call, and those facts are available for purchase or scraping more often than most organizations would like to admit.
This connects to what I wrote about last time. The same dark web ecosystem that processes stealer logs and trades in credentials also circulates the identity fragments that enable impersonation. Different delivery mechanism, same infrastructure behind it.
It is not always about ransomware
The M&S case is dramatic because the downstream was ransomware, and the impact was visible for months. But what concerns me more is the quieter version of the same attack.
Okta Threat Intelligence has been tracking a cluster of financially motivated activity they call O-UNC-034, active since at least August 2025. The playbook is essentially the same: call the help desk, impersonate an employee, get a password reset, enroll a new MFA device. But the objective is not ransomware or data exfiltration. It is payroll diversion. The attackers pivot to HR and payroll applications like Workday, Dayforce, and ADP, and they change the banking details associated with the compromised employee’s account. The next paycheck goes to the attacker.
This version is harder to detect because there is no ransomware deployment to trigger an alert, no mass data exfiltration to spike network traffic. Just a reset event followed by a login, an MFA enrollment, and a small change to a payroll record. Palo Alto Networks’ Unit 42 documented an incident where an attacker went from help desk impersonation to domain administrator in under forty minutes, without deploying any malware at all. Endpoint detection had nothing to flag.
Why the phone call is winning
Mandiant’s M-Trends 2026 report found that email phishing dropped to just 6% of confirmed initial access methods in 2025. Vishing rose to 11%, and in cloud compromises it reached 23%. The phone call is more labor-intensive per attempt, but the conversion rate is higher, and the access it provides is harder to detect because it comes through a legitimate process. A help desk call produces a real password reset event, a real MFA enrollment, a real login, all appearing in logs as normal administrative activity.
There is a structural reason this keeps working. Many of the help desks being targeted are outsourced to managed service providers operating under SLAs that prioritize ticket resolution speed. The M&S service desk was run by TCS. An outsourced agent has no personal relationship with the employees they support, cannot recognize a voice, and follows whatever verification script the client has provided. If the caller has the right answers, and they will if they have done their dark web homework, there is no secondary signal to trigger suspicion. The agent’s professional incentive is to help. The attacker’s strategy is to be someone who needs help.
Okta’s own analysis makes this point directly: outsourced service desk professionals “are highly incentivized around how responsive they are to client needs. In doing so, they are highly vulnerable to a skilled social engineer who impersonates a senior figure in a client organization.” That is not a failure of training. It is a failure of process design.
Wrapping Up
Help desk social engineering succeeds because it exploits a process that was designed to be helpful. The verification questions are answerable with data that is routinely available on the dark web. The outsourced service model optimizes for speed over skepticism. And the downstream access, whether it leads to ransomware, business email compromise, or a quiet payroll redirect, passes through legitimate channels that most detection tools are built to trust.
For defenders, the useful response is layered: remove the ability for front-line agents to reset passwords or MFA for privileged accounts without a secondary approval workflow, require phishing-resistant authentication like FIDO2 that cannot be socially engineered, and monitor for the dark web exposure that makes the impersonation convincing in the first place. The help desk was designed to be the front door for employees who need help. Attackers have noticed, and they are very polite when they call.
What to read next
- How ShinyHunters Breached 400 Companies by Impersonating Them How vishing at industrial scale works: ShinyHunters called employees at hundreds of organizations, directing them to credential harvesting pages built to replicate internal SSO portals.
- How the M&S Breach Became a Market Share Event The business impact side of the M&S breach: what happens to your customers and revenue when social engineering takes your systems down for four months.
- The $500 Purchase That Starts Every Ransomware Attack The economics of initial access brokerage, and the 23-to-36-day window between a stolen credential appearing on a dark web market and a ransomware deployment.
Signal & Noise publishes monthly. If a finding from our dark web monitoring or threat research made Ryan pause, it will probably end up here.
