Description
Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.
All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on User Execution for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools (Remote Access Tools) onto their computer.(Citation: Unit42 Luna Moth)
Adversaries may also combine voice phishing with Multi-Factor Authentication Request Generation in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing)
Platforms
Mitigations (1)
User TrainingM1017
Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.(Citation: CISA Phishing)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has initiated voice calls with victims posing as IT support to prompt users to download and execut... |
References
- CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023.
- Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.
- Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.
- Proofpoint. (n.d.). What Is Vishing?. Retrieved September 8, 2023.
Frequently Asked Questions
What is T1566.004 (Spearphishing Voice)?
T1566.004 is a MITRE ATT&CK technique named 'Spearphishing Voice'. It belongs to the Initial Access tactic(s). Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in t...
How can T1566.004 be detected?
Detection of T1566.004 (Spearphishing Voice) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1566.004?
There are 1 documented mitigations for T1566.004. Key mitigations include: User Training.
Which threat groups use T1566.004?
Known threat groups using T1566.004 include: Storm-1811.