By Ryan Windt | Head of Growth Marketing | Updated April 2026
In September 2023, two of the largest casino and hospitality companies in the world were compromised within weeks of each other. Caesars Entertainment reportedly paid a ransom of around $15 million to prevent the release of stolen data. MGM Resorts did not pay, and absorbed more than $100 million in business impact as a result: slot machines offline, hotel check-in systems down, digital room keys failing, restaurant point-of-sale systems unavailable. The disruption lasted days and was visible to millions of guests.
The entry point for both attacks was not a zero-day exploit. It was not an unpatched server. It was a phone call to a help desk.
Attackers posing as employees called IT support, persuaded agents to reset account credentials and enroll new MFA factors, and used that access to move through the environment. The technical complexity of the intrusion that followed was real. But it never would have happened if the help desk had not been manipulated into opening the door.
Three years later, this playbook remains active and is getting more sophisticated. Understanding exactly how these attacks work, what they cost, and what controls actually stop them is not a case study exercise. It is a practical checklist for any organization that runs a help desk, manages employee identities, or carries cyber insurance.
How the Attack Actually Worked
The MGM and Caesars intrusions were carried out by a group researchers track as Scattered Spider, a loose affiliate network that works with ransomware gangs including ALPHV/BlackCat. What makes Scattered Spider distinctive is not their technical capability. It is their social engineering discipline.
Their standard approach begins with open-source intelligence. They research target organizations on LinkedIn, identify employees by name and role, find the right person to impersonate, and then call the IT help desk posing as that employee. The call follows a script designed to produce urgency: a locked account, a critical system they cannot access before a meeting, a travel situation that makes normal verification difficult. Under that pressure, help-desk agents who have not been specifically trained to resist these scenarios frequently comply.
Once credentials are reset and a new MFA factor is enrolled under the attacker’s control, the organization’s own authentication infrastructure becomes the attacker’s access mechanism. They are logging in legitimately from the identity provider’s perspective. Every downstream system that trusts that identity is now accessible.
From there, Scattered Spider moves laterally through the environment, elevates privileges, accesses data repositories, and deploys ransomware or exfiltrates data depending on the target’s negotiating posture. The dwell time between initial access and ransomware deployment in the MGM incident was reportedly less than four days.
CISA’s advisory on ALPHV/BlackCat affiliates describes exactly this tradecraft: posing as IT or help-desk staff, using phone and SMS to manipulate employees into handing over credentials or resetting MFA factors, and treating identity infrastructure as the primary attack surface rather than the network perimeter.
What Happened Next (2024 and 2025)
The Scattered Spider playbook did not stop with MGM and Caesars. The same identity-manipulation approach appeared across dozens of subsequent high-profile incidents.
Snowflake customer compromises (2024). A wave of data theft affected approximately 165 organizations through their Snowflake cloud environments. The common thread was not a Snowflake vulnerability. It was customer accounts where MFA was not enforced. Attackers used stolen credentials from infostealer malware markets to log in directly. Mandiant attributed the campaign to the threat actor tracked as UNC5537 and noted the absence of MFA as the consistent enabling factor.
CDK Global (2024). After suffering two separate incidents, CDK Global warned its dealer customers that attackers were now making follow-on social engineering calls, impersonating CDK support staff to regain access after CDK had cut the original intrusion. The company’s breach became a platform for further identity manipulation of its customers.
Change Healthcare (2024). Attackers used stolen credentials to log into a remote access service that lacked MFA enforcement. They deployed ALPHV/BlackCat ransomware, triggering a shutdown of claims processing infrastructure that affected healthcare providers across the United States. The total financial impact exceeded $1 billion when business interruption losses across the sector were accounted for.
2025. Law enforcement and industry briefings indicate that Scattered Spider and similar groups have expanded their targeting of collaboration tools, specifically Slack and Microsoft Teams, as a vector for help-desk manipulation. Attackers join external channels, impersonate vendors or contractors, and use the perceived legitimacy of the platform to request credential resets or MFA enrollment changes.
The pattern is consistent across all of these: identity is the target, social engineering is the entry method, and the absence or weakness of help-desk verification is what makes it work.
Why This Attack Pattern Is Getting Harder to Stop
Two developments have made help-desk social engineering materially more difficult to defend against since the MGM attack.
AI-generated voice and video. In 2024 and 2025, documented cases emerged of attackers using AI to clone executive voices and generate deepfake video in real time. An employee in Hong Kong transferred $25 million after a video call that appeared to include multiple senior company executives, all of whom were AI-generated. The technology required to run this attack costs almost nothing and is improving rapidly. Phone-based verification that relies on recognizing a voice is no longer a reliable control. The AI social engineering post covers how this exposure is evolving and what it means for insurance coverage.
Scale and automation. What Scattered Spider demonstrated as a manual, high-skill operation has been partially automated and packaged by other groups. Help-desk manipulation scripts, phishing kits that harvest session tokens in real time, and adversary-in-the-middle proxy frameworks are commercially available on criminal forums. The barrier to running this type of attack has dropped significantly since 2023.
The Five Controls That Would Have Stopped the MGM Attack
None of what happened at MGM or Caesars required exotic defenses. Each of the following controls, if properly implemented, would have broken the attack chain at a different point.
1. High-assurance help-desk verification.
The attack succeeded because a help-desk agent was persuaded to reset MFA credentials without verifying the caller’s identity through a reliable mechanism. The fix is a written, enforced procedure: no password resets or MFA factor enrollments for any privileged account without live identity proofing through a pre-established second channel, plus a second approver for any high-risk action. The callback must go to a number already on record, not one provided by the caller. Log and review every MFA reset daily. This single procedure closes the specific vector used in the MGM attack.
2. Phishing-resistant MFA for administrators and privileged accounts.
Standard app-based TOTP and push notification MFA can be bypassed through real-time phishing proxies and MFA fatigue attacks. FIDO2 security keys and passkeys are resistant to these bypass methods because the authentication is cryptographically bound to the legitimate site. They cannot be replayed on a phishing page. For any account with administrative access to identity infrastructure, email, RMM tools, or financial systems, phishing-resistant MFA is the correct standard. Our MFA implementation guide covers what carriers now require and how to document compliance.
3. Privileged access management with just-in-time elevation.
MGM and Caesars attackers moved quickly once inside because persistent privileged accounts existed across the environment. Removing standing administrative access and replacing it with just-in-time elevation, where admin rights are granted for a specific approved task and then revoked, limits what any single compromised account can do. Paired with session recording and multi-person approval for high-impact actions like deploying scripts or modifying authentication configurations, PAM makes lateral movement substantially harder. The PAM and cyber insurance postcovers what this looks like in practice and why underwriters now treat it as a core requirement.
4. EDR with 24/7 monitoring and fast containment.
Once an attacker is inside the environment, endpoint detection and response tools are what shorten the time between initial access and containment. In the MGM incident, attackers had days of undetected dwell time to move through the network before ransomware was deployed. An EDR deployment with active monitoring and documented response playbooks for credential theft and lateral movement indicators compresses that window. The difference between a contained incident affecting one segment and a $100 million enterprise-wide shutdown often comes down to detection speed. Our EDR and cyber insurance post covers what full deployment looks like and how underwriters verify it.
5. Network segmentation.
The reason MGM’s slot machines, hotel systems, and restaurant POS went offline simultaneously is that they shared network infrastructure that an attacker with access to one segment could traverse to reach the others. Segmentation between IT and operational systems, between guest-facing and back-office environments, and between different business units limits blast radius. An attacker who gets into one segment cannot immediately shut down the whole operation. For hospitality, healthcare, and manufacturing businesses in particular, IT/OT segmentation is an increasingly hard underwriting requirement.
These five controls are also the core of what underwriters verify in a cyber insurance application. The cyber insurance requirements checklist maps each of them to the documentation carriers specifically ask for.
What the Evidence Pack Looks Like
Carriers have moved from checkboxes to documentation. Saying you have MFA is not the same as showing a policy export that proves it is enforced across 100% of users with no exceptions. Here is what underwriters want to see for the controls most relevant to this attack pattern.
MFA. A user export from your identity provider showing MFA enrollment status across all accounts. Policy screenshots showing conditional access rules that block sign-in attempts failing MFA. Separate documentation for administrator accounts showing phishing-resistant methods (FIDO2 or passkeys) are enforced. Help-desk MFA reset procedures, in writing, with evidence of staff training.
PAM. A screenshot or export showing that no standing global admin accounts exist outside break-glass procedures. Documentation of the just-in-time elevation workflow including ticket linkage and approval requirements. Session recording policy for high-privilege actions.
EDR. A coverage report from your EDR or MDR platform showing agent installation percentage across all endpoints and servers, with health status. Alert policy screenshots. On-call escalation documentation. Last 90-day alert metrics.
Incident response. A summary of your IR plan with documented roles, decision thresholds, and carrier/broker notification procedures. Evidence of a tabletop exercise in the last 12 months: a calendar invitation, a redacted after-action report, a list of remediation items and their closure status.
Bringing this documentation to a renewal conversation shifts the underwriting dynamic from a generic application to a demonstrated posture. Carriers price for the risk they can see. When your controls are documented and verifiable, you are negotiating from a position of strength.
What This Means for Your Cyber Insurance
The MGM and Caesars attacks, and the pattern of identity-based intrusions that followed them, have directly shaped how cyber policies are written and what underwriters require before binding coverage.
Social engineering at the help-desk level is precisely the type of attack that triggers business interruption claims. MGM’s $100 million loss was almost entirely a business interruption loss. No data was stolen that drove those numbers. It was operational downtime, guest-facing system failures, and the cost of recovery. Understanding how your policy handles that scenario matters. Our business interruption post covers how BI coverage works, where policies commonly fall short, and what to verify before a claim.
The social engineering angle also has direct coverage implications for any funds transfer fraud that occurs during an intrusion. If an attacker who gained access via help-desk manipulation subsequently redirected a wire transfer or compromised an executive email account to authorize a payment, that loss may fall under the eCrime insuring agreement rather than the standard cyber coverage. Social engineering and funds transfer fraud coverage explains how those provisions work and what sublimits to check.
For businesses whose operations depend heavily on insider risk controls, the MGM attack is a concrete illustration of what happens when the trusted insider model is exploited from the outside. An attacker with valid credentials and an enrolled MFA factor is indistinguishable from a legitimate employee from most monitoring systems’ perspective. The controls that catch them are behavioral: anomalous access patterns, unusual sign-in locations, lateral movement indicators, and privilege escalation alerts. All of these depend on having centralized logging and detection in place.
The Lesson That Has Not Changed
Attackers do not need to break your security if they can convince someone to let them in. The casino attacks were a very public demonstration of this, but the underlying vulnerability exists in every organization that runs a help desk, has employees who can be researched on LinkedIn, and has not implemented specific procedures to prevent identity manipulation.
The controls that would have stopped MGM are not expensive or exotic. They are procedural discipline, phishing-resistant MFA, just-in-time access management, and fast detection. Organizations that have documented and implemented these controls consistently get better insurance terms, and more importantly, consistently recover faster when something does go wrong.
SeedPod Cyber specializes in cyber and Tech E&O coverage for businesses of all sizes. Contact us for a coverage review or quote.