Skip to content

T1598.004 Spearphishing Voice

Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or “vishing”), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.2

Victims may also receive phishing messages that direct them to call a phone number (“callback phishing”) where the adversary attempts to collect confidential information.1

Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to tailor pretexts to be even more persuasive and believable for the victim.

Item Value
ID T1598.004
Sub-techniques T1598.001, T1598.002, T1598.003, T1598.004
Tactics TA0043
Platforms PRE
Version 1.0
Created 07 September 2023
Last Modified 15 April 2025

Procedure Examples

ID Name Description
C0027 C0027 During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.8
G1004 LAPSUS$ LAPSUS$ has called victims’ help desk to convince the support personnel to reset a privileged account’s credentials.4
C0059 Salesforce Data Exfiltration During Salesforce Data Exfiltration, threat actors initiated voice calls with victims to socially engineer them into authorizing malicious applications or divulging sensitive credentials.910
G1015 Scattered Spider Scattered Spider has used help desk voice-based phishing and also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.756

Mitigations

ID Mitigation Description
M1017 User Training Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.3

References

  1. Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023. 

  2. Bank of America. (n.d.). How to avoid telephone scams. Retrieved September 8, 2023. 

  3. CISA. (2021, February 1). Avoiding Social Engineering and Phishing Attacks. Retrieved September 8, 2023. 

  4. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. 

  5. Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025. 

  6. Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025. 

  7. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024. 

  8. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023. 

  9. FBI Cyber Division. (2025, September 12). Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion. Retrieved October 22, 2025. 

  10. Google Threat Intelligence Group. (2025, June 4). The Cost of a Call: From Voice Phishing to Data Extortion. Retrieved October 22, 2025.