- Threat type: Social engineering recruitment for vishing operations
- Primary tactic: IT helpdesk impersonation to obtain account resets and MFA changes
- Exploitation status: Observed recruitment activity on public Telegram; downstream targeting likely (based on established TTPs) (The Register)
- Confidence: Moderate (recruitment posts and analysis are public, but operational follow-through and victimology are not yet public)
- Sectors at risk: Any organisation with outsourced or high-volume service desk operations; SaaS-heavy environments
- Regions at risk: Global (historically strong activity in US, UK, Canada) (cisa.gov)
Executive Summary
Scattered Lapsus$ Hunters (SLH, also styled SLSH in some reporting) is advertising for female callers to conduct vishing against IT helpdesks, offering $500 to $1,000 per call and providing scripts to recruits, according to Dataminr’s monitoring of public Telegram activity and reporting by The Register. (Dataminr) The stated intent is to increase the success rate of helpdesk impersonation by diversifying voice profiles and bypassing staff expectations about what an “attacker” sounds like. (Dataminr)
The activity matters because helpdesk-led intrusions remain a reliable path to credential compromise, MFA enrolment abuse, and subsequent data theft or ransomware deployment, particularly in environments with weak identity proofing and recoverable MFA. (cisa.gov) Security teams should treat this as a near-term signal to harden service desk processes, prioritise phishing-resistant MFA, and improve monitoring around account recovery workflows.
Context
Dataminr reports that on 22 February 2026 it observed public Telegram posts indicating SLH was recruiting women for targeted vishing, with up-front per-call payments and scripts. (Dataminr) The Register corroborated the recruitment drive and noted prior SLH crowdsourcing behaviour, including earlier Telegram messaging offering small payments for harassment of executives in extortion contexts (claims from the group about payouts were not independently verified). (The Register)
This aligns with broader, well-documented patterns for the Scattered Spider ecosystem, which CISA describes as targeting large organisations and their contracted IT helpdesks to gain access. (See CISA’s Scattered Spider advisory.) (cisa.gov) CrowdStrike reporting similarly highlights phone-based impersonation against helpdesks and privileged users as a recurring initial access vector. (See CrowdStrike’s observations on Scattered Spider escalation.) (crowdstrike.com)
Technical Analysis
Observed tradecraft: monetised voice operations
The recruitment pitch is operationally significant for two reasons:
- Role specialisation at scale: Paying per call and issuing scripts suggests SLH is productising social engineering as a repeatable workflow rather than relying solely on core members. (Dataminr)
- Voice-profile evasion: Seeking female voices is a straightforward but potentially effective way to reduce suspicion when helpdesk staff are trained on narrow attacker stereotypes, particularly in fast-paced password reset queues. (Dataminr)
Likely intrusion path (based on established Scattered Spider patterns)
While Dataminr’s brief is about recruitment rather than a specific intrusion, the intended outcome is consistent with known service-desk compromise chains:
- Impersonate employee or contractor to request password resets, MFA changes, or device enrolment.
- Pivot into SSO/SaaS admin surfaces and sensitive applications.
- Pursue data theft and, in some cases, broader enterprise compromise.
Google’s GTIG has documented related ecosystems targeting SaaS applications through social engineering and identity workflow abuse (see GTIG on UNC3944 targeting SaaS). (Google Cloud)
MITRE ATT&CK mapping (most relevant)
| Tactic | Technique ID | Technique name | Relevance to this activity |
|---|---|---|---|
| Initial Access | T1566 | Phishing (incl. voice-based social engineering) | Vishing to manipulate service desk workflows |
| Credential Access | T1078 | Valid Accounts | Goal is to obtain working credentials or reset access |
| Defence Evasion | T1556 | Modify Authentication Process | Helpdesk-driven MFA/device changes (common in similar cases) |
| Persistence | T1098 | Account Manipulation | Enrol attacker-controlled factors/devices via recovery flows |
Note: These techniques are mapped to the recruitment’s stated objective and widely reported Scattered Spider/UNC3944-style helpdesk abuse, not to a specific confirmed victim incident in this reporting. (Dataminr)
Impact Assessment
Direct impact is likely to manifest as increased success rates for helpdesk impersonation, leading to faster account takeover, higher MFA bypass rates (via enrolment abuse), and more frequent downstream data theft incidents. The most exposed organisations tend to have: outsourced service desks, permissive account recovery, SMS/voice-call MFA, weak identity proofing, and limited telemetry on identity workflows. (cisa.gov)
Incident Response Guidance
If you suspect service-desk vishing or unauthorised recovery actions:
- Containment
- Immediately freeze high-risk identity operations: password resets, MFA enrolment, and device registration for impacted users.
- Revoke active sessions and refresh tokens for suspicious accounts, prioritising admins and service accounts.
- Forensics and triage
- Pull service desk call logs, ticket transcripts, and identity verification artefacts for the relevant window.
- Review IdP logs for MFA factor additions, recovery email/phone changes, and unusual enrolment locations.
- Hunt for anomalous SSO activity: new device fingerprints, impossible travel, and access to high-value SaaS apps shortly after helpdesk interactions.
- Recovery
- Re-issue credentials and MFA using out-of-band verification and manager approval.
- Validate admin roles and API integrations for unauthorised changes, especially in Salesforce and other critical SaaS platforms if you have relevant integrations. (Google Cloud)
Mitigation Recommendations
Service desk hardening should be treated as a priority control plane, not a training problem:
- Upgrade identity proofing
- Require multi-party verification for resets and MFA changes (manager sign-off or known internal callback).
- Use video verification or secondary internal verification for high-privilege accounts, as recommended in Dataminr’s guidance cited by The Register. (The Register)
- Reduce recoverable MFA
- Prioritise phishing-resistant MFA (FIDO2 / passkeys) for privileged and high-risk users.
- Restrict or retire SMS/voice MFA paths where feasible, and tightly gate factor enrolment.
- Instrument the workflow
- Alert on: MFA factor addition, recovery detail changes, repeated reset attempts, and resets followed by privileged actions inside short time windows.
- Correlate helpdesk tickets with identity events (ticket ID as metadata in IdP change records).
- Train for modern vishing
- Explicitly brief helpdesk staff that attackers may use varied voice profiles and scripts, and that urgency is a manipulation tactic.
- Use scenario drills focused on enrolment abuse, not just password resets.
Further Reading
- The Register’s coverage of SLH recruiting female voices for helpdesk vishing (The Register)
- Dataminr intel brief on SLH recruiting women for vishing (Dataminr)
- CISA advisory: Scattered Spider (cisa.gov)
- CrowdStrike: Scattered Spider escalates attacks across industries (crowdstrike.com)
- Google GTIG: data theft in Salesforce via Salesloft Drift OAuth tokens (Google Cloud)