“They Didn’t Break In, They Logged In”: The M&S Attack and the Help-Desk Wave

A phone call, not a zero-day

Over the Easter weekend in April 2025, attackers crippled one of the UK’s most iconic retailers. The method wasn’t an exotic exploit — it was social engineering. Attackers tricked service-desk personnel into resetting credentials, gained entry, and deployed ransomware that suspended online orders, click-and-collect and contactless payments for weeks.

Customer names, birth dates, email addresses and order histories were taken. The lesson echoed across the industry: the attackers didn’t break in. They logged in.

The help desk: a high-value target

The IT help desk exists to restore access quickly — which makes it a perfect social-engineering target. An attacker who sounds confident, cites a real employee’s details, and applies time pressure can talk an agent into a password or MFA reset.

The same helpfulness that makes a good support team makes it a prime target. Attackers weaponise courtesy.

Why this keeps working

1. Credentials beat malware. Stolen or reset logins grant access without tripping alarms.
2. Humans are scriptable. Urgency, authority and familiarity override caution.
3. MFA isn’t magic. It can be reset, fatigued, or socially engineered around if process is weak.

Hardening the human layer

• <strong>Strict identity verification</strong> before any reset — callback to a registered number, manager confirmation, or knowledge no attacker can scrape.
• <strong>Train help-desk staff specifically</strong> on pretext calls and reset-request manipulation.
• <strong>Empower agents to say "let me verify and call you back"</strong> without fear — friction is the point.
• <strong>Simulate vishing and help-desk pretexts</strong>, not just email phishing.

The bottom line

The M&S incident is a watershed: the most damaging attacks of 2025 targeted people and process, not unpatched servers. Protecting the human layer — especially the help desk — is now as critical as any technical control.