Can I have a new password, please? The $400M question.

Back in August 2023, attackers tied to the Scattered Spider group didn’t exploit a zero-day vulnerability to hack Clorox. They simply called the service desk (run by Cognizant), claimed to be locked-out employees, and asked for password and MFA resets.

According to court filings and reporting, the attacker repeatedly phoned Cognizant’s service desk, obtained repeated resets without meaningful verification, and used the resulting access to move quickly toward domain-admin footholds.

Clorox says the attack ultimately led to roughly $380 million in damages, including about $49 million in remedial costs and “hundreds of millions” in business-interruption losses. We’ll walk through what happened, how to secure third-party service desks, and show how to enforce verification with the right technology.

How did the attack play out?

Social engineering attacks succeed by targeting human fallibility. Attackers carry out reconnaissance (collecting names, titles, recent hires, internal ticket references), then use a calm, scripted phone call that mimics legitimate user behavior. They want the service desk agent to feel pressured and skip security processes.

In Clorox’s case, the legal complaint alleges frontline agents were convinced over the phone to reset credentials and MFA without escalating or performing out-of-band verification. They claim this went against the agreed procedure with Cognizant that agents should never reset anyone’s credentials without properly authenticating them first.  

The result: a single compromised identity became a pivot for lateral movement and major disruption.

The impact: Operational paralysis and data loss

Clorox reported production systems taken offline, paused manufacturing, manual order processing, and shipment delays that depressed sales volumes. Those supply-chain and fulfilment impacts (as well as forensic and remediation costs) made up most of the loss figure cited in the lawsuit. It serves as a reminder that a simple unauthorized password reset can have far-reaching consequences.   

CISA and other agencies have flagged this pattern: Scattered Spider and similar groups target contracted help desks because outsourced desks frequently sit behind high-privilege bridges into multiple customers’ environments. Advice on defending against the group specifically warns that threat actors will impersonate users and exploit weak verification to bypass MFA and reset credentials. That makes robust caller verification not just good practice, but a core supply-chain control.

Why outsourcing magnified the risk

Outsourcing help-desk functions shouldn’t be a security when vendor processes are strong – many organizations choose to do so. But it the vendor’s verification process is weak or poorly enforced, risk is amplified. There are three structural reasons:

Concentric trust: Vendors often have broad, cross-tenant privileges and fast-path workflows (password resets, MFA resets, account unlocks) that, if abused, can reach privileged systems across an entire enterprise.
Process drift and scale: Large vendors handle high call volumes; if scripts are ambiguous or QA is poor, agents revert to “get the user working” behavior rather than strict verification. In this case, Clorox’s suit alleges that contractual expectations for verification were not followed.
Visibility gaps: Third-party desks may log actions in their own systems or ticketing instances that aren’t fully integrated into the customer’s SIEM or privileged-access telemetry, delaying detection.

What defenders should do

Treat help-desk resets as privileged operations and instrument them accordingly with these five actionable steps:

Enforce out-of-band verification for any remote reset: Require a callback to a company-owned phone number, an emailed one-time token to a work inbox, or a short cryptographic challenge rather than knowledge-based questions.
Require approval thresholds: High-risk resets (MFA, privileged groups, service accounts) need two-person approval and an automatic manager notification tied to the ticket ID.
Short-lived elevation and session isolation: Use temporary privileged sessions for remediation tasks and revoke long-lived admin sessions on detection.
Automated telemetry and containment: Log every reset to an immutable audit trail (ticket ID, agent ID, caller callback number), alert on anomalous reset patterns, and automatically revoke refresh tokens / force re-auth on suspicious sequences.
Translate detection into rules: Watch for patterns such as “same external callback number used for multiple distinct user resets” or “multiple MFA resets for users in the same business unit within X minutes.” These are high-signal events that should trigger automated session revocation and SOC escalation.

Operational governance: Contract language and audits

If you outsource, your contract must require vendor-side technical controls and auditability. Make the vendor prove ( with logs and annual tests ) that they enforce two-channel verification, immutable reset logs, and integration with your SIEM. Include measurable SLAs for MTTD/MTTR on suspected account compromises and require simulated social-engineering tests with remediation results published to you.

Technology helps, but people will still get social-engineered. Run regular red-team phone-based simulations against your help desk (and your vendors), measure failures, and bake corrective training into operations. Track and reduce time from reset to containment — that metric will move the needle more than expensive, one-off hardening projects.

Try Specops Secure Service Desk

If you’d like a live walkthrough of enforced caller verification, immutable audit trails, and ticket integration in a production environment, try Specops Secure Service Desk.

It’s the fastest way to see how deterministic verification and automated containment shrink the attacker’s window to act.

Book a live demo.

Sponsored and written by Specops Software.

Adblock test (Why?)