Most organizations have strengthened MFA and endpoint controls, but those protections can still be bypassed if identity is incorrectly established at the start.
Numerous high-profile breaches in recent years have highlighted a critical weakness in enterprise security. The 2025 M&S ransomware attack lost the UK retailer around £300 million ($397 million) in operating profit. Two years earlier, MGM Resorts reported losses of more than $100 million after attackers caused widespread outages across its Las Vegas properties.
This post is sponsored by Specops.
A common thread runs through these attacks: socially engineering the service desk. Rather than exploiting previously unknown vulnerabilities, attackers manipulated legitimate support processes to compromise accounts and gain access to critical systems. As phishing, vishing and other social engineering techniques become more convincing with the help of artificial intelligence (AI), these attacks are becoming increasingly difficult to spot.
The onboarding process is one of the most exposed parts of this evolving threat landscape. Against these challenges, security teams need robust measures that establish trust before access is granted.
Service desks have always played a role in identity management, but the job has become significantly harder over the last few years.
Remote and hybrid working means that onboarding employees, contractors and third-party partners now often occurs without HR or the IT team ever meeting them face-to-face. Global hiring and outsourced support models have also increased the number of interactions that take place remotely. As a result, service desk teams are now required to establish trust with limited context and are under pressure to get users up and running quickly.
While organizations have invested heavily in stronger passwords, multifactor authentication (MFA), Conditional Access policies and endpoint security, threat actors are shifting away from attacking accounts head-on. Instead, they’re targeting the people and processes that sit around them, including identity verification and password resets.
AI is supporting those attacks by making social engineering more convincing and scalable, from AI-generated phishing emails to cloned voices and synthetic identity documents.
That’s a particular concern when onboarding an employee. New starters need credentials, access and support before they have established a trusted identity within the organization, placing the onboarding process directly in the path of many modern social engineering attacks.
Before a new employee can access corporate resources, the organization needs confidence that the right person is receiving the right credentials and access. For security teams, that challenge can be broken down into three key questions.
Whether an organization uses passwords, Temporary Access Passes or passwordless authentication, there is still a point at which initial credentials or access methods must be issued to a new starter. If those credentials are intercepted, shared insecurely or delivered to the wrong person, attackers could gain access before the employee even logs in for the first time.
Secret questions like “What is your mother’s maiden name?” and “What is the name of your first pet?” are a common way to authenticate users, and in theory are unique. However, threat actors can leverage publicly available information and social engineering to potentially uncover those answers. As face-to-face verification is less common in 2026, organizations need stronger ways to verify identity before issuing credentials.
Social engineering attacks against major enterprises demonstrate the risk facing the service desk. If robust identity verification is not built into the process, every support interaction becomes a potential opportunity to bypass security controls.
The failure often starts with a mundane request: “I changed phones and need MFA set up again,” “I’m locked out before an urgent meeting,” or “HR told me my account should already be active.” If the process depends on the helpdesk agent judging whether the story sounds reasonable, the attacker has already shifted the decision from a security control to a human persuasion exercise.
Taken together, these three challenges form the foundation of secure onboarding. Organizations need confidence that credentials are delivered securely, identities are verified accurately and service desk interactions remain resilient against social engineering attacks.
A secure onboarding process should start with the control model, not the product. Organizations need a repeatable way to remove insecure credential handoff, verify the person behind the request and prevent service desk teams from completing sensitive actions until identity has been confirmed.
Once that model is defined, tools such as Specops Secure Onboarding can help implement it by verifying new hire identity, eliminating the need to distribute temporary passwords via email or SMS, and blocking unverified service desk actions.

The first challenge to solve is ensuring that initial credentials reach the intended recipient. Too many organizations still rely on email, SMS or manual processes to distribute first-day passwords and temporary credentials, despite the risks associated with interception and phishing.
This usually happens because teams are trying to be helpful. A new starter cannot access a portal, so someone resends credentials. A manager wants the employee productive quickly, so IT works around the normal process. Those exceptions may solve an immediate onboarding problem, but they also create an opportunity for the wrong person to receive or reuse the credential.
The preferred model is to avoid sharing a password in the first place. Instead of having IT create and distribute a temporary credential, the onboarding flow should allow the new hire to create their own password through a secure enrolment process. Specops Secure Onboarding supports this model by letting IT share a secure enrolment link with new hires, alongside instructions explaining how to create a strong Active Directory password.
Once credentials have been delivered, organizations need confidence that the person requesting access is genuinely the individual who was hired.
Traditional knowledge-based verification methods are no longer sufficient on their own. The stronger control is identity proofing that verifies a real person is present and matches that person against a trusted document before credentials are activated or access is granted. Specops Secure Onboarding applies this approach using biometric liveness detection and government-issued ID checks to reduce the risk of impersonation and account takeover.
Even after onboarding is complete, the service desk remains a high-value target. Attackers frequently attempt to exploit password reset procedures, MFA recovery processes and account unlock workflows to gain access to legitimate accounts.
To counter this threat, service desk workflows should enforce identity verification before agents can complete sensitive actions such as password resets, account unlocks or MFA recovery. Specops Secure Onboarding implements that pattern by blocking agents from taking action until the caller’s identity is confirmed, helping support teams make trust decisions with greater confidence.
The practical goal is to make verified identity the default for onboarding and service desk workflows. Specops Secure Onboarding helps organizations apply that model by placing identity verification at the center of the process, delivering:
If you’re interested in seeing how Specops Secure Onboarding can help your service desk defend against sophisticated social engineering attacks, contact us today or book a demo.