A 10-minute phone call cost MGM Resorts $100 million. A similar call cost Marks & Spencer £300 million. No malware was needed. No zero-day exploits. No network vulnerabilities were exploited. The attackers used LinkedIn, a data broker search, a leaked password, and a convincing voice.
This anatomy of a vishing attack dissects both incidents stage by stage — from the public information the attackers gathered beforehand, through the technical escalation that turned a single MFA reset into total organisational compromise, to the operational damage that followed. Every piece of information the attackers used was available before they picked up the phone. For the full picture of how leaked credentials and breach data fuel these attacks, see our Credential Leaks & Breach Response hub.
Stage 1: Finding Who Holds the Keys
The attack on MGM Resorts was not opportunistic. The attackers — members of the Scattered Spider group — did not target a random employee. They targeted accounts with Super Administrator privileges in Okta, MGM’s Single Sign-On platform. These are the accounts that control the identity infrastructure for the entire organisation. A Super Administrator can reset any user’s credentials, disable security policies, and reconfigure how every employee authenticates.
Finding these people did not require inside knowledge. It required LinkedIn.
Job titles are public. A profile listing “Senior IAM Engineer,” “Identity & Access Management Lead,” or “Okta Platform Administrator” tells an attacker exactly what that person controls. LinkedIn’s search filters allow narrowing by company, role, and location. Within minutes, an attacker can compile a shortlist of every employee at an organisation who likely holds privileged access to the identity platform.
Job postings reveal even more. When an organisation advertises for an “Okta Administrator — Super Admin experience required,” it confirms which platform they use, what privilege levels exist, and what the role’s responsibilities include. Postings frequently mention specific integrations — “manage SSO for Salesforce, AWS, and ServiceNow” — which maps the applications connected to the identity layer. Some postings name the outsourced helpdesk provider or the ticketing system used for access requests.
Organisational charts can be reconstructed from LinkedIn’s connection graph. If four people in the same IT security team are connected to the same manager, the reporting structure is visible. If two of them changed roles recently, their previous titles may still appear in cached search results or on other platforms. If one of them posted about completing an Okta certification, the attacker knows the platform, the skill level, and the person’s name.
None of this is hidden. None of it requires authentication or payment. It is the default state of professional networking: people publish their responsibilities because that is how LinkedIn works.
Stage 2: Obtaining the Password
Okta’s own advisory, published in September 2023, confirmed that the threat actors “appeared to either have passwords to privileged user accounts or be able to manipulate the delegated authentication flow via Active Directory” before ever contacting the helpdesk. They already had the login credentials. The phone call was not about getting a password. It was about removing the last obstacle — multi-factor authentication.
Where does an attacker get the password for a specific employee at a specific company?
Breach databases. When a company suffers a data breach, the stolen credentials — email addresses and passwords — eventually surface on underground forums and aggregation services. These databases are cumulative. They do not expire. A password leaked from a 2019 breach of an unrelated service is still searchable in 2023 or 2026. If the target reused that password for their corporate Okta account, the attacker already has it.
The scale of these databases is difficult to overstate. The COMB (Combination of Many Breaches) collection, leaked in 2021, contained 3.2 billion credential pairs compiled from hundreds of separate breaches. It is one of many such collections. Searching for a specific email address across these datasets takes seconds.
Infostealer logs. A growing source of corporate credentials is infostealer malware — software that silently harvests saved passwords from web browsers. When an employee saves their Okta login in Chrome on a personal laptop, and that laptop is later infected by an infostealer through a malicious download or compromised website, the saved credentials are exfiltrated and sold in bulk on criminal marketplaces. The logs typically include the URL, the username, the password, and a timestamp. Researchers have documented a 42% surge in leaked credentials from infostealer malware in recent years. These logs are traded commercially, often for less than $10 per batch.
Credential stuffing. Even without a direct match, attackers test known passwords against corporate login pages using automated tools. If someone used “Summer2023!” on a breached fitness app and variations of the same pattern for their work account, automated testing will find the match.
The critical point is this: the attacker does not need to hack the target organisation to get the password. They need the target employee to have reused a password, saved it in a browser on a compromised device, or used a predictable pattern. The password comes from the individual’s personal digital hygiene, not from the company’s defences.
Stage 3: Building the Pretext
The phone call to the helpdesk required more than a name and a request. The attacker needed to pass identity verification — to answer the questions a helpdesk agent would ask before resetting MFA on a high-privilege account.
Standard helpdesk verification typically relies on some combination of: full name, employee ID, date of birth, manager’s name, last four digits of a phone number, home address, or answers to security questions set during onboarding.
Most of this information is available without hacking anything.
Data broker and people search sites aggregate public records, property filings, voter registrations, and commercial data into searchable profiles. A query on a major people search site returns a person’s full name, current and previous addresses, phone numbers, date of birth, known relatives, and email addresses. In the United States, over 4,000 data brokers operate commercially. In Europe, the EDPB’s March 2026 market study identified more than 40 data brokers in Belgium alone — a country of 11 million people. These profiles are available to anyone. Some sites charge a few dollars. Others are free.
Social media fills in the personal context. A Facebook profile with a visible birthday. An Instagram post from a house with a visible street number. A LinkedIn profile listing a manager’s name. A Twitter reply mentioning a pet’s name — which may also be the answer to a security question set years ago and long forgotten.
Public records vary by jurisdiction but often include property ownership (land registry), company directorships (chamber of commerce filings), court records, and marriage or civil partnership registrations. In the Netherlands, Kadaster records are publicly searchable. In the UK, Companies House lists every director of every registered company with their month and year of birth and correspondence address.
The attacker does not need all of this information. They need enough to sound like the person they are impersonating, for the duration of one phone call, to one helpdesk agent who processes dozens of similar requests every shift.
Stage 4: The Call
On September 8, 2023, an attacker called MGM Resorts’ IT helpdesk. They identified themselves as the employee they had researched. They said they needed their multi-factor authentication reset — a routine request that helpdesks handle regularly when employees change phones, lose hardware tokens, or encounter login issues.
The helpdesk agent followed the standard verification procedure. The caller answered correctly. The answers had never been secret.
The agent reset the MFA.
At no point was the caller required to verify their identity through a second channel — no callback to a registered phone number, no push notification to a known device, no in-person confirmation. A voice on a phone, combined with personal details that are available in any data broker search, was sufficient to remove the last security control on an account with administrative access to every connected system in the organisation.
The call lasted approximately 10 minutes.
Stage 5: What a Single MFA Reset Unlocks
This is where a social engineering attack becomes a technical compromise. The MFA reset itself is not the breach. It is the moment the entire identity infrastructure becomes the attacker’s.
MGM: The Identity Layer Collapses
With the password (already obtained from breach data) and MFA now removed, the attackers logged directly into the Okta Super Administrator account.
Okta is a Single Sign-On identity platform. It sits in front of every application an organisation uses — email, cloud storage, internal tools, financial systems, infrastructure management. When an employee logs in once and gains access to everything else, that is SSO working as designed. When an attacker does the same, every connected application is compromised simultaneously.
A Super Administrator in Okta can:
• Reset passwords and MFA for any user in the organisation
• Assign higher privileges to any account
• Remove multi-factor authentication requirements from security policies entirely
• Add a new Identity Provider to the Okta tenant
The attackers did all four.
They assigned Super Administrator privileges to additional accounts they controlled. They reset authenticators on other existing administrator accounts — locking the legitimate owners out. They removed second-factor requirements from authentication policies, so that compromised accounts no longer needed MFA at all.
Then they configured a second, malicious Identity Provider using Okta’s federation feature — a legitimate capability designed for scenarios like corporate mergers, where two organisations need to share identity infrastructure. The attackers’ Identity Provider, which they controlled entirely, was configured as a trusted source. By creating user accounts in their Identity Provider with usernames matching real MGM employees, they could generate valid authentication tokens and sign in to any application as any user — without ever needing that user’s actual credentials.
When MGM’s IT team detected the intrusion and began shutting down systems, the attackers retained Super Administrator access. MGM was locked out of its own identity platform. The attackers simultaneously held Global Administrator rights on MGM’s Microsoft Azure tenant.
One leaked password. One phone call. Total control of the identity infrastructure of a $34 billion company.
Marks & Spencer: The Same Door, Different Architecture
The attack on Marks & Spencer in April 2025 began with the same method. An attacker impersonated an M&S employee and called the service desk — which was operated by a third-party contractor, not M&S’s own IT staff. The contractor performed a password reset. M&S chairman Archie Norman confirmed this publicly.
The technical path after entry was different. M&S’s internal network used Microsoft Active Directory rather than Okta as its primary identity infrastructure. After gaining initial access, the attackers reached a Windows domain controller — the server that manages authentication for every user and computer on the network. They exfiltrated the NTDS.dit file: the core Active Directory database containing the password hash for every domain account in the organisation.
With this file, cracking passwords is an offline operation. The attackers extracted clear-text credentials for multiple accounts, moved laterally across M&S’s network, and systematically mapped data repositories. They did not hurry. Evidence suggests initial access was gained as early as February 2025. The ransomware was not deployed until Easter weekend — April 19. That is approximately two months of undetected access, during which the attackers exfiltrated customer data for roughly 10 million individuals: names, addresses, email addresses, phone numbers, dates of birth, and order histories.
Only after the data was secured did they deploy DragonForce ransomware and encrypt M&S’s systems. The timing — a public holiday weekend — was deliberate. Skeleton staff, slower response, maximum disruption.
The Cost
MGM Resorts’ systems were down for 10 days across more than 30 properties. Casino floors went dark. Digital room keys stopped working. ATMs, slot machines, and booking platforms failed simultaneously. Staff issued handwritten receipts. Guests queued for manual check-in. The company reported $100 million in losses for Q3 2023 — $84 million in lost revenue and approximately $10 million in emergency consulting and legal fees.
Marks & Spencer suspended online clothing orders for weeks. Gift card services went offline. Contactless payments failed in stores across the country. Stock management reverted to pen and paper, leaving shelves bare. The company estimated the attack would cut £300 million from operating profits. Its market capitalisation dropped by £750 million within days. Full recovery was projected for July 2025 — three months after the attack began.
Combined: approximately half a billion dollars in documented losses. From phone calls.
Where Every Piece of Information Came From
Every stage of these attacks relied on information that was freely available before the call was ever placed.
| What the attacker needed | Where they found it | Accessibility |
|---|---|---|
| Which employees hold Okta/IAM admin roles | LinkedIn profiles and job postings | Public, free |
| Organisational structure and reporting lines | LinkedIn connection graph, company website | Public |
| Which identity platform the company uses | Job postings, vendor case studies | Public |
| The target’s corporate password | Breach databases, infostealer logs | Underground, low-cost |
| Full name, date of birth, address | Data broker and people search sites | Public or $1–10 |
| Manager’s name, employee ID patterns | LinkedIn, company directory, press releases | Public |
| Helpdesk phone number | Company website, provider contact page | Public |
| That the helpdesk was outsourced (M&S) | Contractor’s own LinkedIn and job postings | Public |
| Optimal timing for the attack (M&S) | Public holiday calendar | Public |
Every row in this table represents information that existed before the attacker made a decision to target these companies. The information was not stolen. It was collected, aggregated, and reassembled into an attack plan.
What This Means
These are not isolated cases. The CISA advisory on Scattered Spider (AA23-320A, updated July 2025) documents the same methodology across dozens of targets. The same group — or groups using the same playbook — used identical vishing-to-SSO techniques against Caesars Entertainment, Odido, Wynn Resorts, Coinbase, and Match Group. Ericsson lost 15,000 records after a vendor employee was deceived by a single phone call.
The pattern is consistent: public information enables the reconnaissance. Leaked credentials provide the password. A phone call removes the last control. The identity platform — designed to simplify access for employees — becomes the mechanism for total compromise.
Reducing the information that is publicly available about an organisation and its people does not make social engineering impossible. But it makes the reconnaissance harder, the pretext less convincing, and the verification questions more likely to catch a caller who should not be on the line. When an attacker cannot find the IAM administrator’s name on LinkedIn, cannot pull their date of birth from a data broker, and cannot match their email to a leaked password — the 10-minute phone call does not happen. And as AI-generated voice cloning makes impersonation even more convincing, reducing that public footprint becomes more urgent.
How We Investigated This
This article is based on Okta’s September 2023 security advisory on cross-tenant impersonation, the CISA advisory AA23-320A (updated July 2025), Coinbase’s published case study of the February 2023 social engineering attempt, MGM Resorts’ SEC filings and public statements, M&S chairman Archie Norman’s public confirmation of the attack method, DOJ indictment filings against five Scattered Spider members (November 2024), and reporting from BleepingComputer, The Register, and Cybersecurity Dive. No proprietary or client data was used.
If this kind of exposure affects your organisation, a Corporate Audit maps the full surface.