1. Home
  2. Techniques
  3. Enterprise
  4. Phishing
  5. Spearphishing Voice

Phishing: Spearphishing Voice

ID Name
T1566.001 Spearphishing Attachment
T1566.002 Spearphishing Link
T1566.003 Spearphishing via Service
T1566.004 Spearphishing Voice

Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on User Execution for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,[1][2] or install adversary-accessible remote management tools (Remote Access Software) onto their computer.[3]

Adversaries may also combine voice phishing with Multi-Factor Authentication Request Generation in order to trick users into divulging MFA credentials or accepting authentication prompts.[4]

ID: T1566.004
Sub-technique of:  T1566
Tactic: Initial Access
Platforms: Identity Provider, Linux, Windows, macOS
Version: 1.1
Created: 07 September 2023
Last Modified: 15 October 2024
Version Permalink

Procedure Examples

ID Name Description
C0027 C0027

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.[5]

Mitigations

ID Mitigation Description
M1017 User Training

Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.[6]

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

References

  1. Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.
  2. CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023.
  3. Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.
  1. Proofpoint. (n.d.). What Is Vishing?. Retrieved September 8, 2023.
  2. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  3. CISA. (2021, February 1). Avoiding Social Engineering and Phishing Attacks. Retrieved September 8, 2023.