In September 2023, attackers called MGM Resorts' IT helpdesk, impersonated an employee, and obtained administrator access to the company's identity systems in what appears to have been approximately a 10-minute conversation. The breach shut down slot machines, reservation systems, digital room keys, and payment processing across MGM's Las Vegas properties for multiple days.
Understanding the Identity Attack Surface Stack: This breach demonstrates a complete failure across five critical layers: reconnaissance (OSINT harvesting from LinkedIn), human trust exploitation (helpdesk vishing), identity authority takeover (Okta/Azure AD compromise), infrastructure control (ESXi virtualisation plane access), and operational collapse (casino systems outage). Every stage of the attack maps directly to a distinct layer where defensive controls failed, with each compromise enabling access to the next layer.
Business Impact: $100 million in lost revenue during Q3 2023, plus $40-50 million in incident response and cybersecurity improvements. MGM lost $8.4 million per day during the outage. Operations required pen-and-paper processes while systems remained offline.
Root Cause: The helpdesk verified caller identity using security questions. Attackers obtained the answers through LinkedIn and other publicly accessible sources. Once granted administrator access to MGM's identity platforms (assessed to be Okta and Azure based on industry reporting), attackers controlled authentication to virtually every downstream system. Industry analysis suggests ransomware deployment occurred within approximately 72 hours across 100+ servers powering revenue operations.
Why This Matters: 99% of identity attacks use stolen or guessed passwords. Average breach cost: $4.88 million. When attackers compromise identity systems that control access across your organisation, that cost multiplies. The same group (Scattered Spider) attacked Caesars Entertainment the same month using identical tactics. Caesars paid $15 million ransom.
The Control Failure: MGM's helpdesk authentication process relied on knowledge-based verification, which attackers bypassed using information readily available through open-source intelligence. Organisations that implement callback verification to pre-registered phone numbers or phishing-resistant device-based authentication successfully block these attack patterns. MGM reportedly detected unusual activity approximately 24 hours after the initial phone call but could not contain the attack before ransomware deployment.
Timeline Methodology Note: The following timeline is reconstructed from SEC filings, threat intelligence reporting, and industry analysis. MGM Resorts has not published a detailed incident timeline. Dates marked with citations are verified through official documents; others are approximate based on attack pattern analysis and public reporting.
Date: Unknown (Pre-September 2023)
Event: Scattered Spider conducts reconnaissance on MGM employees via LinkedIn and public sources
Attack Surface Stack Layer: Reconnaissance (OSINT harvesting)
Signal Available to Defenders: Anomalous LinkedIn profile views, OSINT collection on employee data. Minimal detection opportunity without advanced threat intelligence monitoring.
Source: Based on Mandiant reporting of UNC3944 reconnaissance TTPs.
Date: Approximately September 8, 2023
Event: Vishing attack executed against MGM IT helpdesk
Attack Surface Stack Layer: Human trust exploitation (helpdesk vishing)
Signal Available to Defenders: Initial access opportunity. Helpdesk authentication request for high-privilege Okta/Azure administrator credentials. This represented the critical intervention window.
Source: Date inferred from industry reporting; attack vector confirmed by CISA AA23-320A and Mandiant analysis of UNC3944 helpdesk social engineering tactics.
Date: Approximately September 9, 2023
Event: Unusual activity detected within MGM environment
Attack Surface Stack Layer: Identity authority takeover (Okta/Azure AD compromise) transitioning to Infrastructure control (ESXi reconnaissance)
Signal Available to Defenders: Detection opportunity. Anomalous identity platform activity, privilege escalation events, reconnaissance of ESXi infrastructure. 24-hour window before ransomware deployment.
Source: Date inferred from attack pattern timing; detection capability gap documented in Mandiant hardening guidance.
Date: September 11, 2023 (Confirmed)
Event: Ransomware deployed across 100+ ESXi hypervisors; MGM publicly discloses cybersecurity incident
Attack Surface Stack Layer: Operational collapse (casino systems outage)
Signal Available to Defenders: Containment failure. Mass encryption of virtualisation infrastructure supporting slot machines, reservations, digital room keys, websites. Daily revenue loss: $8.4 million. Total Q3 2023 impact: $100 million in losses, $40-50 million in remediation costs.
Source: MGM Resorts SEC Form 8-K filing (October 5, 2023) confirming September 11, 2023 incident discovery and financial impact.
An exploit chain maps the sequence of steps attackers take from initial access to final impact, showing how security controls failed at each stage. This section represents a stepwise traversal of the Identity Attack Surface Stack: each exploit phase below directly corresponds to one layer of the five-layer stack model. The progression demonstrates how compromise at each layer enabled access to the next, creating a cascading failure pattern.
Layer 2: Human Trust Exploitation (Initial Access)
The Vishing Attack Vector: Based on Mandiant forensic analysis of UNC3944 operations, attackers possessed sufficient personally identifiable information (sourced from Layer 1 reconnaissance via LinkedIn and assessed commercial data broker access) to bypass knowledge-based authentication protocols. Native English-speaking threat actors eliminated linguistic detection heuristics that might otherwise trigger suspicion during helpdesk interactions.
The Cognitive Environment of Helpdesk Social Engineering: Helpdesk operators function within time-constrained support workflows where efficiency metrics and procedural compliance take precedence over threat modelling. The cognitive load of handling multiple support requests simultaneously creates conditions where verification becomes ritualistic rather than analytical. When a caller provides correct answers to security questions (information that appears private but is publicly available), the operator experiences cognitive closure: the verification checklist is complete, triggering credential issuance. Authority cues ("I need this before my meeting with the CIO") and familiarity signals (use of internal terminology, knowledge of organisational structure) reduce verification friction. Correct answers create false confidence in legitimacy because the protocol assumes knowledge-based verification equates to identity proof. The operator experiences no decision failure from their perspective; they followed the established protocol correctly. The protocol itself was designed for a threat environment that no longer exists, where attackers lacked industrialised reconnaissance capabilities. Industry reporting suggests the helpdesk agent granted administrator credentials to identity platforms (assessed to be Okta and Azure) within approximately 10 minutes of call initiation.
Layer 3: Identity Authority Takeover (Persistence)
Based on known UNC3944 TTPs documented by Mandiant, attackers likely established persistent access through compromised identity platform administrator accounts. Control over Okta and Azure AD inherently enables creation of additional administrative identities, generation of federated access tokens, and bypass of multi-factor authentication requirements for downstream systems. This layer represents the transition from initial foothold to authoritative control over authentication infrastructure.
Layer 3: Identity Authority Takeover (Privilege Escalation)
Identity platform compromise represents what security practitioners term a Category 0 privilege state: the authority layer above all other administrative access. Administrator access to Okta/Azure AD provides authoritative control over all integrated applications, user accounts, role assignments, and access policies across the organisation. No additional escalation is required; the initial access vector already granted maximum organisational privilege. This represents a fundamental architectural reality: identity platforms function as the authentication authority for all downstream systems, meaning their compromise grants transitive access to the entire integrated technology estate.
Layer 4: Infrastructure Control (Lateral Movement)
Attackers leveraged identity platform authority to authenticate to ESXi hypervisor management interfaces using legitimate credential mechanisms. The surgical targeting of 100+ specific hypervisors (confirmed by SEC filings) indicates reconnaissance of the virtualisation infrastructure occurred during the assessed 72-hour window between initial access and ransomware deployment. Movement was identity-authorised rather than network-exploited: attackers used legitimate authentication mechanisms rather than vulnerability exploitation, rendering traditional network intrusion detection ineffective. The identity platform functioned as designed, granting access based on valid credentials, but those credentials were in adversarial hands.
Layer 5: Operational Collapse (Impact)
Ransomware deployment across ESXi infrastructure hosting revenue-generating systems represents the final layer of the Identity Attack Surface Stack. Operational disruption lasted multiple days, forcing manual processes including pen-and-paper operations for casino transactions. Total financial impact: $100 million in Q3 2023 losses (confirmed by SEC filings), $40-50 million committed to cybersecurity improvements, $8.4 million daily revenue loss during outage period. This layer demonstrates how compromise of identity infrastructure (Layer 3) translated into business-critical system failure through the exploitation of architectural trust relationships embedded in identity platform integration.
The control system refers to the layered security mechanisms organisations deploy to prevent, detect, and respond to attacks. This analysis examines control failures across four critical domains that correspond to different intervention points within the Identity Attack Surface Stack: discovery (visibility into authentication events), identity governance (verification and authorisation protocols at Layer 2: human trust exploitation), prioritisation (risk-based resource allocation reflecting Stack layer criticality), and segmentation (isolation preventing cascading failure across Stack layers).
Discovery failures occur when organisations lack visibility into authentication events that signal compromise. MGM's telemetry gaps prevented detection at three critical intervention points:
Control GapDescriptionHelpdesk authentication telemetryNo real-time monitoring of knowledge-based authentication patterns, failed verification attempts, or privilege level of access requests.Identity platform activity loggingInsufficient alerting on administrator account creation, bulk permission changes, or access from unusual geographic locations.Hypervisor management accessEnumeration and reconnaissance of ESXi infrastructure did not trigger containment procedures during the 72-hour pre-encryption window.
Impact: Attackers operated undetected from initial helpdesk call through infrastructure reconnaissance, eliminating early intervention opportunities.
Identity governance establishes the procedural controls governing credential issuance and privilege assignment. This domain directly maps to Layer 2 (human trust exploitation) of the Identity Attack Surface Stack, where helpdesk authentication serves as the gateway to higher privilege layers. The authentication protocol itself constituted the vulnerability. When verification depends on knowledge that attackers can acquire through reconnaissance rather than cryptographic proof of identity, the procedural boundary becomes exploitable through information gathering alone. As detailed in the exploit chain analysis, helpdesk operators function within cognitive environments where correct answers create false confidence in legitimacy, completing verification rituals without threat assessment. The following governance gaps enabled this procedural failure:
Control GapDescriptionNo dual authorisation requirementAdministrative access to identity platforms (Okta, Azure AD) was granted through single-agent approval rather than requiring independent verification from two separate individuals.Insufficient out-of-band verificationHelpdesk lacked callback protocols to pre-verified phone numbers, enabling attackers to maintain control of the authentication channel.No MFA for privileged helpdesk operationsAdministrative credential issuance did not require phishing-resistant MFA (hardware tokens, certificate-based authentication) to validate the request.Lack of time-bound credentialsBased on industry reporting, administrator access granted through helpdesk appears to have been persistent rather than temporary with automatic expiration.
Impact: Single-channel verification created a procedural trust boundary that social engineering attacks could exploit through information gathering alone.
Prioritisation failures reflect misalignment between threat landscape evolution and defensive investment. Despite documented trends, critical controls remained unaddressed:
Control GapDescriptionUnderinvestment in identity security controlsDespite Microsoft threat intelligence showing 80%+ of enterprise compromises involving identity by 2023, helpdesk authentication protocols remained knowledge-based rather than cryptographically verified.Vishing threat model gapThe MGM breach occurred during a documented surge in vishing attacks. Industry reporting suggests vishing rose to 11% of all initial infection vectors with a 442% surge from H1 to H2 2024. This threat vector shift was publicly documented prior to the MGM breach, yet helpdesk controls did not adapt.Identity platform criticality misassessmentAdministrator credentials for identity platforms (Okta, Azure AD) represent Layer 3 of the Identity Attack Surface Stack: the authentication authority for all downstream systems. Compromise at this layer grants transitive access across the entire integrated technology estate. This architectural criticality was not reflected in the rigor of access control mechanisms protecting credential issuance.
Impact: Control investment lagged behind attack evolution, leaving high-value targets defended by protocols designed for an earlier threat landscape.
Segmentation failures occur when compromise of one system grants lateral access to critical infrastructure without additional authentication barriers:
Control GapDescriptionIdentity platform as universal access keyOkta and Azure AD integration with ESXi management interfaces meant identity compromise translated directly into hypervisor access without additional authentication barriers.Lack of privileged access segmentationAdministrative operations on critical infrastructure (hypervisors hosting revenue systems) did not require separate authentication or access from dedicated privileged access workstations (PAWs).Hypervisor management plane exposureESXi management interfaces were accessible to identity platform administrators without additional control plane segmentation or just-in-time access requirements.
Impact: Identity platform compromise functioned as an architectural master key. Single-factor social engineering success at Layer 2 (human trust exploitation) cascaded into Layer 3 (identity authority takeover), which then enabled Layer 4 (infrastructure control) through designed trust relationships rather than vulnerability exploitation. The segmentation failure was architectural: identity platforms were integrated as universal authentication authorities without additional control plane isolation.
This attack did not exploit CVE-tracked vulnerabilities. The initial access vector (vishing against helpdesk authentication) represents a process-level weakness rather than a software vulnerability.
Threat Actor Intelligence: Scattered Spider (UNC3944) is a financially motivated threat group active since approximately 2022. The group demonstrates sophisticated OSINT capabilities, native English language proficiency, and specialisation in identity-focused attacks against helpdesk and cloud infrastructure.
Known Exploitation Campaigns: During the same operational window (September 2023), Scattered Spider executed parallel attacks against Caesars Entertainment using identical vishing tactics. Caesars paid approximately $15 million ransom to prevent data disclosure. The simultaneous campaigns demonstrate operational maturity and attack industrialisation.
Time-to-Exploit (TTE): 72 hours from initial helpdesk compromise to full ransomware deployment across 100+ hypervisors. This compressed execution timeline outpaces most incident response playbooks, which assume detection-to-containment windows measured in days or weeks.
Attack Vector Trend Data: The MGM breach occurred during a documented shift in attack methodology. Vishing represented 11% of all initial infection vectors in 2025 (23% in cloud compromises), while traditional email phishing fell to 6%. This "Phishing Inversion" saw vishing surge 442% from H1 to H2 2024, indicating systematic threat actor migration to voice-based social engineering.
Implement out-of-band verification for privilege escalation requests: Mandate callback to pre-registered phone numbers for any helpdesk request involving administrative access or credential resets for privileged accounts. This breaks single-channel social engineering attacks.
Deploy real-time alerting on identity platform administrative actions: Configure immediate SOC notification for new administrator account creation in Okta/Azure AD, bulk permission changes, or access from unusual geographic locations/IP addresses.
Establish dual authorisation requirement for identity authority systems: Require independent verification from two separate individuals before granting administrative access to identity platforms, hypervisor management interfaces, or backup systems. This addresses the single-agent approval vulnerability that enabled the MGM breach at Layer 2 of the Identity Attack Surface Stack.
Enable enhanced logging and monitoring for helpdesk authentication events: Implement telemetry capture for failed verification attempts, repeated authentication requests for the same account, and high-privilege access requests outside normal business hours.
Replace knowledge-based authentication with cryptographic identity verification: Transition helpdesk authentication from "what you know" (answers to security questions) to "what you have" (phishing-resistant MFA using hardware tokens or certificate-based authentication).
Implement privileged access management (PAM) for identity platform administrators: Deploy just-in-time access provisioning with automatic expiration for Okta/Azure AD administrative roles. Require access from dedicated privileged access workstations (PAWs) with enhanced monitoring.
Deploy identity threat detection and response (ITDR) capability: Implement automated detection of identity-based attack patterns including privilege escalation velocity, anomalous authentication patterns, and reconnaissance of sensitive systems post-authentication.
Establish hypervisor management plane segmentation: Isolate ESXi and virtualisation infrastructure management interfaces from general identity platform access. Require separate authentication and just-in-time provisioning for administrative operations on critical infrastructure.
Develop vishing-specific incident response playbooks: Create response procedures that account for attacker execution velocity (hours, not days). Include automated containment capabilities that can disable compromised credentials and isolate affected systems without manual approval chains.
If You Run a Security Program, Check This Now:
☐ Does your helpdesk use out-of-band verification (callback to pre-registered numbers) for administrative access requests?
☐ Do administrative accounts for identity platforms (Okta, Azure AD, similar) require dual authorization before credential issuance?
☐ Are identity platform administrative actions (new admin accounts, bulk permission changes) generating real-time SOC alerts?
☐ Do you monitor for helpdesk authentication anomalies: failed verification attempts, repeated requests, off-hours high-privilege access?
☐ Is access to hypervisor/virtualization management interfaces segmented from general identity platform access?
☐ Do you have automated response capabilities that can disable compromised credentials within minutes rather than hours?
☐ Have you tested your incident response playbook against a scenario where attackers complete objectives within 72 hours of initial access?
☐ Are your helpdesk agents trained to recognize vishing tactics specific to native English-speaking threat actors who sound like legitimate employees?
The MGM breach exposes a fundamental architectural flaw in enterprise security: defences optimised for network perimeter threats collapse at procedural trust boundaries. The Identity Attack Surface Stack model demonstrates how this breach progressed through five distinct failure layers, each compromise enabling access to the next. The protocol was the vulnerability. The phone call was the exploit. The identity platform was the target.
What failed was not technology but the assumption that knowledge-based verification could authenticate identity in an environment where attackers industrialise reconnaissance. The helpdesk operator followed protocol correctly. The protocol itself was designed for a threat model that no longer exists. This represents a systemic failure: security controls lagging behind the adversarial reality they were designed to counter.
The control gaps documented in this analysis exist across industries wherever human-authenticated exceptions bypass cryptographic verification (Layer 2 failures), wherever identity platforms function as architectural single points of transitive compromise (Layer 3 criticality), wherever incident response assumes detection-to-containment cycles measured in days rather than the 72-hour execution velocity demonstrated in this attack. The question is not whether your organisation has inherited these architectural vulnerabilities embedded in the Identity Attack Surface Stack. The question is whether you have visibility into where identity authority can be hijacked through a single conversation, and operational capabilities to contain cascade failures before they traverse from Layer 2 through Layer 5, turning a helpdesk call into operational collapse.
Identity telemetry monitoring is the real-time analysis of authentication and access data from identity providers like Azure AD, Okta, and Google Workspace. It focuses on detecting suspicious login behaviour, privilege changes, and session anomalies that may indicate credential theft or account compromise.
SIEM tools often fail because they treat identity logs as passive data rather than behavioural signals. Most lack identity-specific detection rules for threats like MFA bypass, session hijacking, or privilege escalation, meaning attackers can operate inside valid sessions without triggering alerts.
An AitM attack is a phishing technique where attackers intercept authentication sessions in real time. Instead of stealing passwords, they capture session cookies or tokens after MFA completes, allowing them to reuse authenticated sessions without triggering login alerts.
Session hijacking can be detected through behavioural anomalies such as changes in device fingerprint, unusual geographic access during an active session, or mismatched TLS and user-agent signals. Continuous session monitoring and identity telemetry correlation are required to identify these patterns.
🔗 Identity as Initial Access: Detection, Prevention & Enterprise Defence
This foundational article provides the comprehensive framework for understanding identity-based attacks as an initial access vector, establishing the control taxonomy and defensive principles applied in this MGM breach analysis.
Reading Time: Approximately 15 minutes
This analysis combines:
• public KEV reporting
• incident response research
• threat intelligence reporting
• operational vulnerability management observations
• publicly documented exploitation case studies
Operational recommendations are intended to support security leaders, SOC teams, vulnerability management programs, infrastructure teams, and executive decision-makers evaluating enterprise remediation readiness.
Timur Mehmet | Founder & Lead Editor
Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.
Contact:
This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:
Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections
Learn More: About Hackerstorm.com | FAQs
1. CISA Joint Cybersecurity Advisory: Scattered Spider (AA23-320A)
Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-National Partners
Updated: July 2025
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
Joint advisory from FBI, CISA, RCMP, Australian Signals Directorate's Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and UK's National Cyber Security Centre (NCSC-UK) providing tactics, techniques, and procedures (TTPs) obtained through FBI investigations as of June 2025.
2. UNC3944 Targets SaaS Applications
Mandiant (Google Cloud)
Published: June 13, 2024
https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
Mandiant analysis of UNC3944 social engineering techniques against corporate help desks, including forensic recordings showing threat actors spoke with clear English and already possessed personally identifiable information of victims to bypass help desk administrators' user identity verification.
3. Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
Mandiant (Google Cloud)
Published: May 6, 2025
https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations
Prioritized defensive recommendations based on Mandiant's extensive experience supporting organizations to defend against, contain, and eradicate UNC3944 attacks.
4. MGM Resorts International - Form 8-K Filing
U.S. Securities and Exchange Commission (SEC)
Filed: October 5, 2023
Official SEC filing disclosing $100 million negative impact on Adjusted Property EBITDAR for Las Vegas Strip Resorts and Regional Operations combined, with additional $10 million in consulting and remediation costs.
5. Caesars Entertainment, Inc. - Form 8-K Filing
U.S. Securities and Exchange Commission (SEC)
Filed: September 2023
https://www.sec.gov/Archives/edgar/data/0001590895/000119312523235015/d537840d8k.htm
Official SEC filing documenting Caesars Entertainment cybersecurity incident occurring during the same operational window as MGM breach.
6. Microsoft Digital Defense Report 2024
Microsoft Corporation
Published: October 2024
Coverage Period: July 2023 - June 2024
https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2024
Microsoft Entra data showing password-based attacks make up over 99% of 600 million daily identity attacks. Report documents 7,000 password attacks blocked per second, highlighting persistent nature of identity-based threats.
7. Microsoft Digital Defense Report 2023
Microsoft Corporation
Published: October 2023
Coverage Period: July 2022 - June 2023
Report showing tenfold surge in password-based attacks against cloud identities in Q1 2023, from around 3 billion per month to over 30 billion. Documents that more than 80% of all compromises originate from unmanaged devices.
8. Note on Vishing Statistics
The article cites vishing attack vector statistics (11% of initial infection vectors in 2025, 23% in cloud compromises, 442% surge H1 to H2 2024) attributed to media sources. These specific statistics should be verified against authoritative threat intelligence reports. Primary authoritative sources for vishing trends include:
► CISA Cybersecurity Advisories
► FBI Internet Crime Complaint Center (IC3) Reports
► Mandiant M-Trends Annual Reports
► Verizon Data Breach Investigations Report (DBIR)
► CrowdStrike Global Threat Report
This analysis synthesises information from official government cybersecurity advisories, threat intelligence from leading security vendors (Mandiant/Google Cloud), regulatory filings with the U.S. Securities and Exchange Commission, and Microsoft's enterprise telemetry covering 78+ trillion security signals per day. All technical attribution and threat actor TTPs are derived from these authoritative sources rather than media reporting.
COOKIE / PRIVACY POLICY: This website uses essential cookies required for basic site functionality. We also use analytics cookies to understand how the website is used. We do not use cookies for marketing or personalization, and we do not sell or share any personal data with third parties.