Description
Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.
All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.(Citation: BOA Telephone Scams)
Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)
Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to tailor pretexts to be even more persuasive and believable for the victim.
Platforms
Mitigations (1)
User TrainingM1017
Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.(Citation: CISA Phishing)
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has called victims' help desk to convince the support personnel to reset a privileged account’s crede... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has used help desk voice-based phishing and also called employees at target organizations an... |
References
- Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023.
- Bank of America. (n.d.). How to avoid telephone scams. Retrieved September 8, 2023.
Frequently Asked Questions
What is T1598.004 (Spearphishing Voice)?
T1598.004 is a MITRE ATT&CK technique named 'Spearphishing Voice'. It belongs to the Reconnaissance tactic(s). Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, fre...
How can T1598.004 be detected?
Detection of T1598.004 (Spearphishing Voice) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1598.004?
There are 1 documented mitigations for T1598.004. Key mitigations include: User Training.
Which threat groups use T1598.004?
Known threat groups using T1598.004 include: LAPSUS$, Scattered Spider.