I Called Their Helpdesk. Forty-Seven Minutes Later I Was Domain Admin.

The engagement was a red team for a mid-market financial services firm, roughly nine hundred employees, three offices, the usual stack. Okta, Microsoft 365, CrowdStrike on the endpoints, conditional access policies, MFA (Multi-Factor Authentication) enforced on everything that touched data. On paper it was hardened. In practice it took less than an hour.

We did not phish anyone. We did not drop a USB. We did not exploit a CVE (Common Vulnerabilities and Exposures). We called the IT helpdesk.

Phase one was OSINT (Open Source Intelligence). LinkedIn gave us the IT and operations rosters, an org chart, vendor relationships, and tenure data. An old breach database surfaced a personal email and phone for a senior accounting manager, the target. Public DNS (Domain Name System) records and a job posting confirmed the helpdesk vendor and the ticketing platform. A press release told us the firm had recently acquired a smaller advisor in another state. Inter-office travel was normal. Confusion would be too.

Phase two was the call. Wednesday afternoon, staffing thin, queue depth high, analysts under pressure. I called as the accounting manager, said I had landed at the acquired office, my work phone died, I had a new one in my hand, and I could not log into Okta to pull a closing file the CFO (Chief Financial Officer) was waiting on. The analyst followed her script. Verified my name, my title, the last four of my employee number, all public or scraped. She reset the MFA factor to a number I controlled. Two minutes later I was in Okta. Eleven minutes after that I had SharePoint, the file share, and the controller’s mailbox. Forty-seven minutes after the call ended I owned domain admin through a service account whose credentials were sitting in a OneNote the controller had write access to.

The MFA worked exactly as designed. Conditional access fired correctly. CrowdStrike alerted on nothing because nothing malicious ever happened. Identity itself was the breach. The helpdesk had no callback verification, no manager approval for MFA resets, no out-of-band confirmation, no urgency throttle. The process was the vulnerability, and the process was working as written.

Every dollar spent on detection assumes the attacker is doing something detectable. Identity-layer social engineering is not. Until MFA reset is treated as a privileged transaction requiring out-of-band proof, the next attacker calls and gets in the same way.