1. Home
  2. Techniques
  3. Enterprise
  4. Phishing for Information
  5. Spearphishing Voice

Phishing for Information: Spearphishing Voice

ID Name
T1598.001 Spearphishing Service
T1598.002 Spearphishing Attachment
T1598.003 Spearphishing Link
T1598.004 Spearphishing Voice

Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.[1]

Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information.[2]

Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to tailor pretexts to be even more persuasive and believable for the victim.

ID: T1598.004
Sub-technique of:  T1598
Tactic: Reconnaissance
Platforms: PRE
Version: 1.0
Created: 07 September 2023
Last Modified: 08 September 2023
Version Permalink

Procedure Examples

ID Name Description
C0027 C0027

During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[3]
G1004 LAPSUS$

LAPSUS$ has called victims' help desk to convince the support personnel to reset a privileged account’s credentials.[4]
G1015 Scattered Spider

During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[3]

Scattered Spider has also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.[5]

Mitigations

ID Mitigation Description
M1017 User Training

Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.[6]

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers.

References

  1. Bank of America. (n.d.). How to avoid telephone scams. Retrieved September 8, 2023.
  2. Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023.
  3. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  1. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  2. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  3. CISA. (2021, February 1). Avoiding Social Engineering and Phishing Attacks. Retrieved September 8, 2023.