In a coordinated campaign, a new ransomware group known as DragonForce has successfully compromised Marks & Spencer, Co-op, and Harrods – using little more than a phone call and confidence.
The UK’s NCSC has issued a warning: this isn’t a one-off. DragonForce is likely scaling, and their tactics target more than just retail.
The breaches didn’t start with malware – they started with people.
In two confirmed incidents, attackers convinced internal IT help desks to reset employee passwords. Once inside, they exfiltrated Active Directory databases and used the stolen password hashes to pivot through Microsoft 365 accounts. The group claims to have stolen the data of 20 million Co-op members and caused a £30M loss for M&S in just over a week.
This is social engineering at scale – and it’s becoming the default mode of attack.
The DragonForce playbook mirrors that of the notorious Scattered Spider crew that brought MGM and Caesars to a halt. Their method is simple: impersonate, manipulate, access, encrypt, extort.
So, why does this keep working?
Because most organizations still treat people as perimeter gaps, not programmable endpoints.
AUMINT’s Trident flips that model: we simulate social engineering attacks against your real users and systems – safely and regularly. Think of it as penetration testing for your human layer. You can’t patch your people, but you can train and monitor them like your endpoints.
Our simulations show how easily an attacker could:
- Reset a privileged password via a help desk call
- Trigger an email forwarding rule to exfiltrate data
- Bypass MFA using insider-like behaviors
With DragonForce operating as a ransomware-as-a-service cartel, the barrier to entry for future attacks is near zero.
The time to act isn’t after the breach – it’s before the first phone call.
🔍 Book a live walkthrough of AUMINT Trident today because the next call your help desk gets might not be from your employee.