T1598.004 · threatengine.sh

Home/ATT&CK Technique/Spearphishing Voice

ATT&CK Technique

Spearphishing Voice

T1598.004 · reconnaissance

Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls.

Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff. Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to tailor pretexts to be even more persuasive and believable for the victim.

PRE

◆

Actors Using This

1

predominantly_westernScattered Spider

▣

Mitigations

1

MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.

M1017User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses.

Create Comprehensive Training Programs

Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting.
Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises

Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training.
Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement

Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding

Include cybersecurity training as part of the onboarding process for new employees.
Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses

Update training materials to include emerging threats and techniques used by adversaries.
Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios

Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering.
Discuss how specific employee actions can prevent or mitigate such attacks.

◈

Detection Coverage

0/6 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) none

Analytics (MITRE CAR) none

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) none

Vuln scan (Nuclei) none

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin