The help-desk call that reset the attacker's MFA
The fastest way past MFA is often a phone call. Convince the service desk you are a locked-out employee and they enroll the attacker's device. Here is the social-engineering path behind major breaches, and the fix.
The most reliable way past multi-factor authentication in the last few years was not a zero-day. It was a polite phone call.
What it is
When an employee is locked out, the help desk can reset their password and re-enroll MFA. An attacker who gathers enough personal and employment detail contacts the service desk impersonating that employee, talks them through a reset, and enrolls their own device as the new MFA factor, then signs in legitimately. This human path is behind several major intrusions. It is T1556 (modify authentication process) with T1098.005 (device registration) and T1660.
Why it works
It targets the process and the person, not the technology, and a successful reset hands over a fully valid, MFA-backed login. Help-desk staff are measured on being fast and helpful.
How to detect it
Look for MFA re-enrollment shortly before access from a new device or location, a spike in reset requests, and resets that skipped strong verification. Correlate help-desk tickets with sign-in anomalies.
The fix that holds
Require strong identity proofing for resets (manager approval, video verification, or a separate trusted channel), restrict who can reset privileged accounts, log and review every MFA re-enrollment, and alert on new-device enrollment followed by sensitive access. Train the help desk on this exact attack.
Practice it
We built a help-desk MFA-reset scenario in GraphLattice Range so teams rehearse the call, the verification, and the detection together.