AN0683: Analytic 0683
Monitor call log records from corporate devices for unusual or unauthorized numbers, especially repeated calls to/from known malicious phone numbers. Correlate with subsequent system events (e.g., browser navigation, remote management tool execution).
Analyst context for executives and security teams
This analytic is about using corporate device call-log records as an early warning signal when employees or systems interact with unusual, unauthorized, or known malicious phone numbers. Its business value is in connecting phone activity to follow-on Windows events such as browser navigation or remote management tool execution, which can help SOC and incident response teams decide whether a suspicious call became a security incident.
Executive priority
Prioritize this where corporate Windows devices, managed endpoints, or communication records are part of the organization’s evidence base for investigations. Leaders should ask whether call-log data is actually collected, retained, legally approved for monitoring, and correlated with endpoint activity. The practical risk is not the phone call alone; it is missing the link between suspicious communication and subsequent user or system behavior that may require containment, employee outreach, or incident escalation.
Technical view
For Windows environments, validate whether call-log records from corporate devices can be ingested and correlated with endpoint events. The supplied analytic specifically calls for monitoring unusual or unauthorized numbers, repeated calls to or from known malicious phone numbers, and follow-on events such as browser navigation or remote management tool execution. Detection engineering should focus on correlation logic, time windows, allowlists for legitimate business numbers, and escalation criteria when suspicious call activity is followed by higher-risk system activity.
Likely telemetry
- Corporate device call-log records
- Known malicious phone number reference data, where available
- Windows endpoint event data
- Browser navigation history or browser-related telemetry
- Remote management tool execution telemetry
Detection direction
- Confirm call-log records from corporate devices are available, normalized, retained, and attributable to a device or user.
- Tune for repeated calls to or from unusual, unauthorized, or known malicious numbers rather than treating every unknown number as high severity.
- Correlate suspicious call activity with subsequent browser navigation and remote management tool execution on Windows endpoints.
- Use business context and approved contact lists to reduce false positives from legitimate customer, partner, support, or vendor calls.
- Define investigation playbooks for cases where call activity is followed by endpoint behavior that may indicate user interaction or remote access activity.
Mitigation priorities
- Establish policy and legal/privacy approval for monitoring corporate device call-log records before operationalizing detections.
- Maintain authoritative inventories of corporate devices, assigned users, and approved business contact patterns where feasible.
- Ensure Windows endpoint logging can support correlation with browser activity and remote management tool execution.
- Create SOC triage procedures that combine call-log evidence with endpoint timelines before escalation.
- Review retention and audit requirements so call-log and endpoint evidence is available during incident response and compliance review.
Analyst notes and limits
This object is a detection analytic, not a technique description. The supplied ATT&CK fields provide a Windows platform and a description, but no tactic, detection implementation, data source schema, or relationship context. The strongest use case is correlation: suspicious phone activity becomes more actionable when paired with subsequent endpoint behavior.
No official detection text, tactics, relationships, aliases, or labels were supplied. The analytic does not by itself establish malicious activity, attribution, impact, or coverage. Local device ownership, privacy constraints, telecom availability, endpoint logging, and approved business calling patterns are required to make this operational.
Analytic 0683
Monitor call log records from corporate devices for unusual or unauthorized numbers, especially repeated calls to/from known malicious phone numbers. Correlate with subsequent system events (e.g., browser navigation, remote management tool execution).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c18fdc12c09b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0683Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.