Skip to content
Cyber Resilience & Data Security

When the Help Desk Becomes the Front Door to Your Entire Network

How social engineering, unmanaged identities, and weak recovery strategies are accelerating full-domain compromise.

Dan Conrad, FIELD CTO AND PRINCIPAL TECHNOLOGIST, Commvault

Key Takeaways

  • Help desk social engineering is now a primary entry point, with vishing (voice phishing) attacks rapidly increasing and leading to credential compromise.
  • Non-human identities like service accounts and tokens are a major security blind spot, often unmanaged and heavily exploited for lateral movement.
  • Active Directory (AD) is a high-value target because of its centralized control and potential misconfigurations.
  • Prevention alone is insufficient; organizations need strong detection and rapid recovery capabilities to limit damage.
  • Immediate operational actions – like auditing accounts and correlating help desk activity with identity changes – can significantly reduce risk.

AD remains a primary target for attackers because it sits at the center of enterprise identity. Recent research shows that 67% of incidents now involve identity-related compromise, with attackers going after critical systems like AD within hours of initial access. Once compromised, recovery can take days or weeks – causing significant business disruption.

The question worth asking isn’t whether AD is a target. It’s how attackers get there – and why the path is so much shorter than security teams might expect.

3 Steps to Full Compromise

Adversary groups like ShinyHunters and Scattered Spider have turned social engineering into a production operation. Voice phishing – vishing – jumped 449% in 2025. Callers are recruited, scripted, and paid up to $1,000 depending on success and hit rate.

That means, it’s possible to start an attack with one step: Get a password reset or multi-factor authentication (MFA) change. That’s it.

From that single credential, the attacker moves laterally into cloud and virtualized environments. They harvest OAuth tokens, create new administrative service accounts, and embed access in machine-layer credentials. These non-human identities – service accounts, API keys, tokens – now outnumber human users 144 to 1. Sprawl and operational overhead makes rotation and audit difficult.

That lateral movement has a destination: Active Directory.

AD Is the Target

AD is the central nervous system of enterprise identity. Control it and you control everything – user accounts, group policies, and access to every domain-joined system in the network. The reason it’s so attractive to attackers – and so difficult to defend – is structural. Any authenticated user can read the entire directory. Every domain-joined system inherits trust from it.

Group Policy Objects linked at the domain head can be weaponized to disable security controls outright. Legacy protocols left enabled for application compatibility provide straightforward access. Microsoft’s own documentation says that “most identity attacks utilize common misconfigurations in Active Directory.”

When an attacker reaches the AD, they don’t need to force entry. The door is usually open.

Prevention Is Necessary but Not Sufficient

The standard security stack – MFA, endpoint detection, email filtering – is built around human behavior. It wasn’t designed to govern the machine identity layer or to detect the kind of slow, legitimate-looking privilege escalation that characterizes modern AD attacks. An attacker that moves from a compromised human account to a service account to a domain administrator over 72 hours may never trigger a single alert.

This is why the conversation must shift from prevention-first to recovery-first.

Prevention still matters. Least-privilege access, auditing AD changes, hardening default configurations, disabling inactive accounts – these can help reduce the attack surface. But given that half of organizations have already experienced an AD attack, designing only for prevention means designing to fail.

True identity resilience requires the ability to detect unauthorized privilege escalations in near real time, roll back malicious changes before they propagate, and restore the identity environment to a known-trusted state quickly – not in days or weeks, but fast enough to contain the blast radius. That means treating AD and the non-human identity layer as Tier 0 assets, with the same governance and recovery investment you’d apply to any other mission-critical system.

What To Do Right Now for Identity Resilience

The gap between where most organizations are and where they need to be on identity resilience is real. But it’s closeable. The immediate priorities are unglamorous and operational:

  1. Audit what’s in your AD.
  2. Find the accounts that shouldn’t still exist.
  3. Rotate the credentials that haven’t been touched in years.
  4. Correlate help desk activity against token- and account-creation events.

A help desk interaction followed by an MFA reset followed by a new service account is a high-confidence attack signal – and it’s detectable if you’re looking for it.

The longer-term work is architectural: Build recovery capability into your identity program so that when an attack succeeds – and it’s usually when, not if – you can contain it, reverse it, and try to restore trust faster than the attacker can consolidate their position.

Attackers are counting on your AD being ungoverned, your machine identities being invisible, and your recovery plan being theoretical. Close one of those gaps this quarter. Close all three and you’ve fundamentally changed the math. 

Learn how Commvault Cloud delivers comprehensive AD protection – from vulnerability assessment to one-click rollback and full forest recovery.

I recently joined Vidya Shankaran on the STRIVE podcast to talk about the governance gap for non-human identities. Check out our episode here. And be sure to read Vidya’s blog, The Machine Identity Blind Spot Is Now a Primary Attack Surface.

FAQs

Q: Why are help desks becoming a major security risk?

A: Help desks are often trusted to reset passwords and modify MFA settings, making them attractive targets for social engineering. Attackers exploit this trust to gain initial access with minimal resistance.

Q: What role do non-human identities play in attacks?

A: Sprawl and operational overhead make rotation and audit of non-human identities, such as service accounts and API keys, difficult. Attackers use them to maintain persistence and move undetected across systems.

Q: Why is AD such a critical target?

A: AD controls authentication and access across the network. Gaining control of it allows attackers to manage users, policies, and systems at scale.

Q: Isn’t MFA and endpoint security enough to stop these attacks?

A: These tools focus on human behavior and may not detect slow, legitimate-looking privilege escalation. Attackers can operate within normal patterns and avoid triggering alerts.

Q: What does a recovery-first security approach mean?

A: It means preparing for the reality that breaches will happen and prioritizing the ability to detect, contain, and reverse them quickly. This approach helps reduce downtime and can help limit overall impact.

Q: What are the most important steps to take immediately?

A: Start by auditing your AD, removing unnecessary accounts, rotating old credentials, and monitoring for suspicious sequences of help desk and identity-related activities.

Dan Conrad is Principal Technologist and Field CTO at Commvault.

More related posts

Thumbnail_Blog-Okta-Early-Access-2026

Commvault® Extends Identity Resilience to Okta

Read more
Thumbnail_Blog-Lateral-Access-2026

Staying Resilient Against Lateral Access Exploits

Read more
Thumbnail_3_AD_Blogs_2025

Active Directory Forest Recovery: Why Manual Methods Are No Longer Viable

Read more
Thumbnail_6_AD_Blogs_2025

AD Recovery Testing: How to Know Your Recovery Plan Will Actually Work

Read more