Service desks sit at the frontline of modern enterprise IT, tasked with keeping staff productive and systems running.
Yet, as organisations double down on identity-based security, these same help functions are increasingly being exploited as a backdoor for cyber attackers.
The very processes designed to assist employees, such as password resets, device enrolment, and access troubleshooting are being manipulated to bypass even the most robust cyber defences. In an era where identity is the new perimeter, the service desk is fast becoming a high-value target.
Social engineering
Attackers no longer need to break into systems when they can simply talk their way in. Social engineering, particularly through voice phishing or "vishing", has evolved into a highly effective tactic against service desk staff to include using trusted sources and leveraging LinkedIn's messaging feature,
Armed with basic information gathered from public sources, past data breaches, or even casual conversations, attackers impersonate employees or contractors. Their objective is simple: convince a service desk agent to reset credentials, enrol a new multi-factor authentication (MFA) device, or override standard controls.
Tactics can be surprisingly low-tech. Attackers often exploit internal phone systems by calling public-facing numbers and requesting to be transferred to the service desk, sometimes masquerading as employees who have dialled incorrectly. In certain cases, these calls are routed internally, lending them an air of legitimacy that reduces suspicion.
Privileged access magnifies risk
If social engineering provides the entry point, privileged access determines the scale of the damage.
Service desk staff typically hold broad permissions across multiple systems, enabling them to resolve issues quickly.
However, this access also makes them an attractive target. Compromising a single service desk identity can, in some environments, provide a pathway to the entire organisation.
The widespread use of virtual private networks (VPNs) exacerbates the problem. A compromised service desk credential may allow attackers to log in remotely with elevated privileges, effectively granting them a foothold inside the corporate network.
Phishing attacks are also becoming more sophisticated. Adversary-in-the-middle techniques, for example, insert convincing fake login pages between users and legitimate services. These attacks capture not only credentials but also session tokens, allowing attackers to bypass MFA altogether.
The risks multiply further in organisations that outsource support functions. A breach involving a third-party service desk provider can potentially affect multiple clients simultaneously, creating a cascading impact across businesses.
Impersonating IT
Attackers are not just targeting service desks but are also impersonating them. Posing as IT support staff, cyber criminals contact employees directly, often citing suspicious activity or urgent system issues.
They then instruct users to install software, run commands, or share sensitive information.
Because employees are conditioned to trust IT support, these scams can be highly effective. Even organisations with advanced endpoint detection tools remain vulnerable, as attackers frequently use legitimate remote access software to avoid raising alarms.
Once inside a device, attackers can move laterally across networks, create new user accounts, or establish persistent backdoors - all while operating under the guise of authorised activity.
The dangers of standing privilege
At the heart of the issue lies a structural challenge as service desks require elevated access to function efficiently. However, this necessity often leads to excessive and poorly managed privileges.
Many organisations grant service desk staff continuous, high-level access rather than limiting it to specific tasks or timeframes. This so-called "standing privilege" significantly increases the window of opportunity for attackers.
Compounding the problem is the widespread use of shared accounts and simple credentials, often adopted to speed up ticket resolution. While convenient, these practices undermine accountability and make it difficult to track who performed specific actions.
Visibility is another persistent challenge. In complex IT environments with multiple systems and platforms, security teams often struggle to map who has access to what.
This lack of clarity can conceal indirect pathways to elevated privileges, allowing attackers to escalate access without detection.
Rethinking service desk security
Addressing these vulnerabilities requires a fundamental shift in how organisations approach service desk operations.
A key priority is the adoption of least privilege principles, ensuring that users only have access to the systems and data they need, and only for the duration required. Reducing standing privileges can dramatically limit the potential impact of a compromised account.
Organisations are also being urged to rethink remote access strategies. Moving away from traditional VPNs towards more controlled, session-based access models can help reduce exposure.
Stronger identity verification is another critical measure. Static security questions are no longer sufficient. Instead, organisations should implement dynamic verification methods and phishing-resistant authentication technologies, particularly for high-risk roles such as service desk staff.
Also, real-time monitoring of high-risk activities, such as credential resets or MFA changes for privileged accounts, can provide an early warning of potential attacks.
For organisations navigating an increasingly complex threat landscape, the message is clear. Service desk security can no longer be treated as an afterthought but must be embedded within a broader identity security strategy that prioritises visibility, control and resilience.