Helpdesk Exploitation: Now In Stark Detail
8–4–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, August 4, 2025, and I think we can all agree that August snuck up on us, and the year is moving very, very quickly.
On the cyber side, there’s another thing that can move very quickly, and that attackers who gain access by exploiting your Helpdesk. We’re going to dive in on that today now that we have some new information from a lawsuit that should help make this risk a bit more concrete.
Helpdesk Exploitation: In Stark Detail
As you may recall from our coverage on this show, American chemical company Clorox suffered quite an outage in 2023 due to a ransomware attack. In fact, they’re now suing their outsourced help desk provider for $380M - the amount of impact they claim from the attack.
The details of the suit, however, are what we should focus on here. Clorox is asserting that the helpdesk agent did not follow procedure to validate an employee before providing credentials.
“At no point during any of the calls did the Agent verify that the caller was in fact Employee 1. At no point did the Agent follow Clorox's credential support procedures—either the pre-2023 procedure or the January 2023 update—before changing the password for the cybercriminal. The Agent further reset Employee 1's MFA credentials multiple times without any identity verification at all. And at no point did the Agent send the required emails to the employee or the employee's manager to alert them of the password reset.”
Media coverage of this suit notes:
“To make matters worse, Clorox alleges that the threat actors used the same playbook to reset the password and MFA for another employee who worked in IT security, which was done without verification once again. This reportedly gave the attackers privileged access to the network, which they used to spread to further devices.”
And they have the transcripts - which I’ve linked to in the article above. I won’t attempt a dramatic reading to recreate them, but the attacker doesn’t have to work very hard to get the helpdesk employee to reset their account and provide access.
Finally, it’s worth noting that the article covering the suit included a small update from a Cognizant spokesperson that reads as follows:
“It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.”
A little snippy, and hard to read the transcript and see the helpdesk agent’s actions as reasonable, especially given the fact that there was an SOP for validation in place.
That said, this comment does ring back to what we covered last week in the idea that clicking a single link shouldn’t take you down, but that the cascade of failures is really where the risk lies. The problem is, both Clorox and Cognizant have a point here.
For the rest of us, the two core lessons are as follows:
Instantiate a process for validating identity before providing password reset or rotation via the helpdesk, especially for those with elevated account privileges like the IT admin mentioned in the suit; and
Include these processes as part of your social engineering / penetration testing phase to ensure that they are actually in place (which, it would seem, is the fatal flaw for Clorox - the policy was there, it just wasn’t being followed by the folks on the front lines, which is not uncommon).
On a related note, there’s some good new research coming out from Palo Alto’s Unit42 about the social engineering techniques being used to compromise Salesforce instances and steal large volumes of customer data.
I would note that at least one victim - Allianz - is actively playing the card of “this breach wasn’t our breach as it wasn’t our system” - but that’s small comfort to the 1.4M people whose details were exposed.
Fundraising
From a fundraising perspective, more on the volume of announcements rather than total amount raised last week - with $6.4B in newly committed capital announced over about a dozen funds.
There are, however, some positive indicators from the IPO market, with Figma making a strong debut after their Adobe deal fell apart. One to keep a close eye on, though, as they appear to be down about 20% today alone, perhaps some profit taking for those who caught the initial IPO wave.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links