Phishing: Spearphishing Voice

Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on User Execution for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,[1][2] or install adversary-accessible remote management tools (Remote Access Software) onto their computer.[3]

Adversaries may also combine voice phishing with Multi-Factor Authentication Request Generation in order to trick users into divulging MFA credentials or accepting authentication prompts.[4]

ID: T1566.004
Sub-technique of:  T1566
Tactic: Initial Access
Platforms: Google Workspace, Linux, Office 365, SaaS, Windows, macOS
Version: 1.0
Created: 07 September 2023
Last Modified: 15 October 2023

Procedure Examples

ID Name Description
C0027 C0027

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.[5]


ID Mitigation Description
M1017 User Training

Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.[6]


ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.