Social engineering is a misconfiguration

A misconfiguration is a control set to the wrong value. Nothing more. The personnel gap that attackers exploit belongs to the same defect class - a validator that accepts input it should reject, pushed to production without review. The “n00b” framing misreads the failure. Individual competence is not the variable under attack. The variable is whether the organisation built a process that checks identity, intent, and authorisation before granting access. When that process is absent, the human becomes a control that returns true for every call.

This is not incompetence. It is a missing bounds check expressed in process.

Map the surface. A help desk operator resets credentials. A new hire approves an access request. A contractor holds a federated token. Each sits on a trust boundary - the line where unauthenticated intent crosses into authorised action. The control at that boundary is supposed to validate the caller before it acts. CWE-16, configuration. CWE-1188, insecure default. CWE-269, improper privilege management. The codes describe software defects. The same defects live in onboarding documents and ticket queues. The difference is that no scanner flags them and no CVE is assigned. These gaps do not get a CVE ID. They get an 8-K filing.

The title’s provocation points at the real defect. An operator hired to complete tasks optimises for ticket closure. Throughput is the measured value. Validation is friction against that value. A service desk graded on time-to-resolution will, under load, drop the verification step that adds ninety seconds to a call. The metric configured the behaviour. The attacker exploits the metric, not the person. This is why the same intrusion repeats across unrelated organisations - they share the same incentive defect, not the same staff.

The bug class is a trust boundary violation driven by missing validation. The operator was never required to demand a second proof of identity before a reset. The default behaviour is to help the caller. The default value is wrong. An attacker who understands the process does not need a memory corruption primitive. The primitive is already present - a human validator with no guard on its input.

Operational discipline is the runtime enforcement of the validation the training installed. Knowledge without discipline degrades under pressure, and social engineering manufactures the pressure. Urgency, authority, a plausible pretext. The script pushes the operator past the verification step using the same stress conditions that cause a tired analyst to approve a change without reading the diff. T1656, impersonation. The defect is not absence of knowledge. It is absence of a control that holds when the knowledge is inconvenient.

Exploitation follows the path of least resistance, which is the identity layer. T1566, phishing. T1566.004, spearphishing voice - vishing the help desk. T1078, valid accounts. T1199, trusted relationship. The attacker calls the service desk, presents harvested employee data, and requests a password or MFA reset. The operator follows the documented procedure. The procedure does not require callback verification or manager approval. The reset completes. The attacker now holds valid credentials and enrolls a new MFA factor - T1098.005, device registration. Every subsequent authentication is legitimate by every technical measure the platform applies.

Where the operator is not the entry point, the user is. T1621, MFA request generation. The attacker holds a valid password and triggers repeated push notifications until the user approves one to stop the noise. The approval is genuine. The session is real. The control validated possession of a credential and a tap - both supplied by the legitimate user, neither indicating consent to the actual login.

The network view adds one signal. Credential relay runs through an adversary-in-the-middle proxy - T1557 - an Evilginx-class reverse proxy sitting between the user and the real identity provider. The user authenticates against a typosquatted domain registered hours earlier. The proxy passes every field through to the legitimate IdP and captures the resulting session cookie. The IOC is a newly registered domain resembling the IdP hostname, TLS termination at an unfamiliar host, and a session token first seen from a residential connection then replayed from a hosting-provider ASN. The cookie replay defeats MFA entirely because the factor was already satisfied upstream. Microsoft has tracked AiTM kits at scale across credential-theft campaigns since 2022.

This is the documented method, not theory. Scattered Spider - UNC3944, Octo Tempest in Microsoft’s naming - ran help desk social engineering against MGM Resorts and Caesars Entertainment in September 2023. The intrusion did not begin with an exploit. It began with a phone call. The operator reset access for a caller impersonating an employee whose details were public on LinkedIn. Caesars paid the ransom. MGM took systems offline for days and disclosed material financial impact.

The 0ktapus campaign in 2022 phished Okta credentials across roughly 130 organisations - Group-IB’s count - including Twilio. The kit harvested credentials and one-time codes in real time through a relay page. Cloudflare was targeted in the same campaign and did not fall. The difference was FIDO2 hardware keys. The phishing page could relay a password and a TOTP code. It could not relay a hardware-bound assertion that cryptographically refuses to authenticate to the wrong origin. The validator was moved off the human and into the protocol. The campaign failed against that one control.

Uber, September 2022. Lapsus$ used MFA fatigue against a contractor, then pivoted through internal access. The credential was bought. The push approval was coerced through repetition. The Okta support breach of October 2023 extended the same theme - session tokens lifted from HAR files uploaded to a support portal, valid tokens replayed with no further authentication required.

The trusted relationship vector - T1199 - widens the same defect across an organisational boundary. A managed service provider or staffing contractor holds federated access into the customer tenant. The vetting and training gap now belongs to a third party the customer never audited. The customer’s identity controls are sound. The contractor’s help desk is not. The attacker compromises the weaker organisation and rides the trust relationship inward, authenticated and authorised the entire way. The validator that failed is one the victim does not own and cannot configure. Supply chain risk here is not a poisoned package. It is an unvetted human holding a valid token.

In telemetry, this is the hard part. The authentication is valid. The credential is correct. The MFA requirement is satisfied. Nothing is malformed, so signature-based detection has nothing to match. The Okta System Log records user.authentication.auth_via_mfa and user.session.start with a success result. The high-signal event is user.mfa.factor.activate - a new factor enrolled on an existing account, often from a new device fingerprint and a new ASN. That event fires. Whether anyone correlates it to a help desk reset ticket raised minutes earlier is a detection engineering decision, not a default.

On the host, the follow-on is Windows Security Event ID 4624 with logon type 10, RemoteInteractive. 4720 for account creation. 4724 for a password reset. 4728 and 4732 for privileged group additions. 4768 and 4769 for Kerberos ticket requests against newly reachable services. Sysmon Event ID 1 for process creation under the compromised identity. Each event is individually benign. The compromise is visible only as a sequence - factor enrollment, then first login from an unfamiliar device, then privilege escalation, inside a window of minutes. EDR sees signed binaries and valid tokens. The anomaly is behavioural, not static. The blind spot is the assumption that a satisfied MFA requirement equals an authorised user.

The detection that catches this is a correlation rule, not a signature. Join the identity provider’s factor-enrollment event against the service desk ticketing system on the same account within a short window. A new MFA factor activated minutes after a reset ticket, from a device the account has never used, is the signal. Most SOCs do not run that join. The two data sources sit in different platforms owned by different teams - the IdP log in the SIEM, the reset ticket in an ITSM tool no one streams to correlation. The visibility exists. The integration does not. That gap is the same configuration failure one layer up, a control that could validate left unconfigured. User and entity behaviour analytics can approximate the logic by baselining per-account device and geo patterns, but it raises the false-positive rate and degrades when the workforce is genuinely mobile.

There is no patch boundary here. No version string moves from vulnerable to fixed. The residual exposure after any single fix is the next process that defaults to helpful. Phishing-resistant authentication - FIDO2, WebAuthn, device-bound passkeys - removes the human from the validation path for the login itself. It does not fix identity proofing at the help desk, which is where Scattered Spider operated. That control is procedural - callback verification, manager approval, out-of-band confirmation before any credential or factor reset. Under the SOCI Act, personnel and supply chain controls for critical infrastructure are a regulatory obligation, not a maturity goal. The Privacy Act extends the duty to the identity data attackers harvest to pass the proofing step.

The reframe holds. The attacker did not exploit a novice. The attacker queried the weakest validator in the identity chain and received a true. That validator was set to the wrong value by an organisation that treated vetting and training as a hiring formality rather than a control with a configuration. Incompetence was never the vulnerability. The missing guard was.