You're an IT help desk agent. Someone calls saying they're locked out of their account. They know the employee's name, department, even their manager. Everything checks out.

So you reset their password.

And just like that, you've handed a hacker the keys to your entire company.

That's exactly what happened to MGM Resorts in September 2023. One phone call. Ten minutes. $100 million in damage.

This attack is back in the news today because a minor who helped carry out the attack turned themselves in to Las Vegas police last week. Per the LVPD that minor is being charged with five total criminal counts including extortion and identity theft.

Another member of the group that carried out the attack recently provided an interview to Margi Murphy (no relation). Her writeup of how this smart, seemingly normal kid descended into a world of cyber crime is well worth the read and can be found here with the author-provided free article (no paywall).

Why Helpdesk Attacks Work

Cloud account attacks aren't about breaking through firewalls or cracking encryption. They're about convincing ONE person to hand over legitimate credentials.

Attackers rely on three simple facts:

Trust: Help desks are trained to help people

Access: Cloud admin accounts unlock everything

Invisibility: Legitimate credentials don't trigger alarms

Once they're in with valid credentials, security tools see them as a normal user. No alerts. No blocks. Just free reign over your cloud infrastructure.

Explainer: What's a cloud account anyway?
Think of a cloud account like a digital version of a storage unit. You have a key and you can store stuff in it, but it is in a location that is owned and operated by another company.  A cloud account is a digital version of that... you can access it from anywhere with internet and login credentials. You're probably already using cloud accounts every day: Gmail, Microsoft 365, iCloud photos, even Netflix all store your data on servers owned by Google, Microsoft, Apple and Netflix respectively.

What's a Cloud Account Attack?

We just established what cloud accounts are (see above). An attack on those accounts occurs when an attacker tries to gain access to your login credentials and tries to use them to log into your account.

What It Looks Like

Here's how the MGM attack went down:

1. Hacker opens LinkedIn → Finds MGM employee's profile (2 minutes)

2. Calls IT help desk → "Hi, I'm [Employee Name], I'm locked out" (10 minutes)

3. Gets password reset → Now has valid credentials

4. Accesses cloud admin panels → Okta, Azure, everything

5. Deploys ransomware → Shuts down slot machines, room keys, entire operations

The damage:

• Slot machines: Dark

• Hotel room keys: Dead

• ATMs: Offline

• Guests: Waiting hours for handwritten receipts

• Total cost: $100 million

And it's not just casinos. The same gang hit:

• Ticketmaster (40+ million records stolen via Snowflake)

• AT&T (billions of call records)

• Caesars Entertainment (paid $15M ransom)

Tool Spotlight: Defend Your Cloud Accounts

1. Multi-Factor Authentication (MFA) - No Exceptions

Enable MFA on EVERY cloud account, especially admin accounts. Even if a hacker gets your password, they can't log in without the second factor. This is the number one thing that you, as a user can do to stop this kind of attack.

Free tools: Microsoft Authenticator, Google Authenticator, Authy

2. Conditional Access Policies

Have your IT team set rules that say: "Admin accounts can ONLY log in from our office network" or "Flag any login from a new country."

Where to set it up: Microsoft Entra ID (formerly Azure AD), Google Workspace Admin, Okta

3. Help Desk Verification Protocols

Talk to whoever is in charge of your Helpdesk. Ask them to create a process where password resets require:

• Callback to official number on file

• Manager approval for admin accounts

• In-person verification for high-privilege resets

The MGM hackers wouldn't have lasted past step 1.

Sector Highlight: Everyone

Last week we covered finance. This week? Every single industry.

Cloud accounts don't discriminate. Whether you're:

• Healthcare: Protecting patient records in Microsoft 365

• Finance: Running trading platforms in AWS

• Retail: Managing inventory in the cloud

• Your small business: Using Google Workspace for email

If you use cloud services (and you do), you're a target.

Why Everyone Gets Hit:

• 60% of corporate data is stored in the cloud

• One compromised account = access to everything

• 51% of cloud breaches start with weak/stolen passwords

Universal Defenses:

• MFA on all accounts (especially admins)

• Monitor for unusual login locations

• Regular access reviews (who has admin rights and WHY?)

Prevent This: Rule of the Week

Help desks: don't reset passwords without additional checks
Admin accounts need extra verification
When someone's "locked out," call them back at their official number

Share these three with your IT team today. The 10 minutes you spend setting up proper protocols could save you $100 million.

Wrap-Up

Cloud account attacks aren't sophisticated. They're simple social engineering that exploits our desire to help people.

The MGM hackers didn't need zero-day exploits or advanced malware. They just needed LinkedIn and a convincing story.

So the next time someone calls your help desk claiming they're locked out, remember MGM: verify first, reset second.

Prevent This is published weekly by Intruvent Technologies to bring you everyday defenses you can actually use.

If you liked this Newsletter: Please forward it to your friends!

Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support our work.