AN2018: Analytic 2018
Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers.
Analyst context for executives and security teams
This analytic matters because voice phishing can turn a phone call into an identity, access, or fraud problem before traditional endpoint alerts appear. The supplied ATT&CK object focuses on monitoring corporate-device call logs for suspicious patterns, including contact with known malicious phone numbers. For leaders, the practical question is whether the organization has lawful, approved access to relevant call-log evidence and a process to turn suspicious calling patterns into timely SOC or incident response action.
Executive priority
Prioritize this as a readiness and evidence question rather than a standalone control. Security, legal, privacy, and telecom owners should confirm whether corporate call-log collection is permitted, retained, searchable, and usable during suspected voice-phishing incidents. This can support identity protection, help desk hardening, fraud response, and compliance evidence where call-based social engineering is in scope.
Technical view
SOC and detection teams should validate whether call logs from corporate devices are available and can be correlated against known malicious phone numbers or suspicious call patterns. Because the ATT&CK object provides no formal detection logic, teams should define local criteria for unusual call volume, repeated calls from unknown or risky numbers, calls preceding credential or help desk events, and matches to internally approved threat intelligence sources. Any alerting should account for business functions that legitimately receive high volumes of external calls.
Likely telemetry
- Corporate-device call logs
- Inbound and outbound phone numbers
- Call timestamps, duration, and direction
- Known malicious or suspicious phone-number reference lists
- User or device ownership context for corporate phones
Detection direction
- Confirm that call-log collection exists for the relevant corporate devices and is permitted by policy and applicable privacy requirements.
- Validate matching against known malicious phone numbers, while documenting the source, freshness, and review process for those indicators.
- Tune for business context to reduce false positives from sales, support, recruiting, executive assistants, or other high-call-volume roles.
- Correlate suspicious call activity with identity or help desk events when locally available, especially password resets, MFA changes, or access requests after calls.
- Identify blind spots such as personal devices, unmanaged phones, missing telecom logs, short retention windows, or lack of linkage between phone numbers and corporate users.
Mitigation priorities
- Establish governance for corporate call-log collection, retention, access, and privacy review.
- Integrate approved phone-number threat intelligence or internal suspicious-number lists into SOC workflows where feasible.
- Create an incident response playbook for suspected voice phishing that includes identity verification, help desk review, and user outreach.
- Harden help desk and identity recovery procedures so a successful call does not easily lead to account takeover.
- Use findings from call-log analysis to improve awareness training and executive or high-risk user protections.
Analyst notes and limits
The ATT&CK object is a detection analytic, not a technique description. Its official description is limited to monitoring corporate-device call logs for potential voice phishing patterns, including calls to or from known malicious phone numbers. No tactics, relationships, or formal detection logic were supplied, so local implementation details must be defined by the organization.
Coverage cannot be assumed from this object alone. The supplied fields do not identify specific platforms beyond PRE, do not provide relationships to techniques or groups, and do not include detection logic, data sources, mitigations, or evidence of active exploitation. Effectiveness depends on lawful telemetry access, retention, indicator quality, and correlation with local identity and incident data.
Analytic 2018
Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 36c1d60c3571… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN2018Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.