Two phone calls inside a critical healthcare infrastructure operator. Four systems compromised.

Why the client ran this

The client identified human risk as the single most material element of its cyber risk profile. Its Service Desk and frontline customer-facing functions sit on the front line, interacting constantly with internal users and external referrers, both of which make them high-value targets for impersonation and authority-pressure tactics.

The context mattered. In mid-2025 the Scattered Spider cybercrime group intensified its campaign against Australian enterprises using the exact playbook the client's teams were most exposed to: help-desk impersonation, MFA manipulation, and credential abuse. The group had been linked to a significant breach at Qantas that exposed data for roughly 6 million customers. The client was already seeing external impersonation attempts against its staff over Microsoft Teams.

Rather than wait for those probes to escalate, the client's Security Operations team engaged CypherLeap to run a controlled, unannounced social-engineering resilience assessment, calibrated to mirror real-world threat actor behaviour without disrupting clinical or business operations.

The brief

• Validate frontline-team resilience against voice social-engineering attacks calibrated to Scattered-Spider-class tradecraft.
• Gain initial access through the Service Desk and customer-facing support functions, then demonstrate the downstream business impact.
• Run the exercise with only three client stakeholders aware in advance, with no broader awareness within the workforce.
• Produce a prioritised, actionable set of remediation recommendations the security function could implement immediately.

Methodology

We delivered the engagement over six working days, structured through the offensive-security lifecycle we apply to every social-engineering assessment: Intelligence Gathering · Get In · Stay In · Act · Report · Debrief · Training.

Open-source intelligence gathering built a target profile across technical teams, support staff, medical specialists, front-desk staff and management. The profile covered direct mobile numbers, residency locations, practitioner registration details, practice locations and personal email addresses, all verified against a client key contact. In parallel we enumerated the client's application footprint: a Service Desk ticketing platform, the patient imaging portal, a Radiology Information System (RIS), a remote desktop environment, and the referrer-facing patient portals. Publicly-accessible support documentation and how-to guides surfaced the IT Support Desk phone numbers we would later dial.

Two pretexts were chosen, one impersonating a Medical Practitioner and one impersonating a Contact Centre Agent. Each was deliberately engineered with multiple red flags stacked against it: urgency, authority pressure, access requests from unusual geographies, unrecognised mobile numbers, and personal email addresses that did not match the client's internal records.

Case one. Medical Practitioner impersonation

We dialled the client's customer-facing support line in the morning under the pretext of a Medical Practitioner at an airport, about to board a flight, needing urgent help with a broken login. The staff member on the call needed access to the imaging portal to review patient scans. The pretext stacked five red flags, including mismatched mobile number and an unverified personal email as the destination for credentials.

Inside 18 minutes on the phone, the credentials (username and password) were sent to a CypherLeap-controlled inbox in two separate emails. Before the support call had ended, our team had registered MFA on our own device, locking the legitimate practitioner out of their account while maintaining persistent access for us. From there we gained entry to the imaging portal, changed the account's primary email and primary mobile number to CypherLeap-controlled destinations, and performed a proof-of-concept patient search to demonstrate the full business impact. Patient-data exfiltration, persistent access, and extortion would all have been in reach of a real attacker.

Case two. Contact Centre Agent impersonation

Later the same day, we dialled the IT Support line under a second pretext: a newly-joined Contact Centre Agent trying to set up Office 365 on a new mobile phone, unable to log in, asking for a password reset. The scenario stacked its own red flags. A first login attempt from a different city to where the staff member was actually based, an unrecognised device, and a mobile number not on the client's records.

The new password was set and handed over during the call with no out-of-band identity verification. We then reset the MFA binding to our own device and took persistent control of the corporate Outlook account, and from there the user's OneDrive, SharePoint libraries, Microsoft Teams channels, and the remote desktop environment. The entire sequence demonstrated what a real Scattered-Spider-style operator would achieve in a single afternoon: corporate data exfiltration, sustained lateral-movement potential, and a functioning launchpad for internal social engineering via Teams.

What we also found

During OSINT we surfaced leaked credentials from historical third-party breaches belonging to former employees of the client. The accounts themselves had been properly disabled and remediated long ago, and none of the credentials were actually exploitable. But their continued presence on credential-leak sites is the raw material a Scattered-Spider-class attacker uses to appear credible during a pretext call. That residual exposure, combined with insufficient caller-verification at the Service Desk, is exactly the combination that turns OSINT noise into an operational breach.