DET0245: Detection Strategy for Spearphishing Voice across OS platforms
DET0245 is a MITRE detection strategy tied to spearphishing by voice, where an adversary uses a phone or other voice communication to manipulate a user int...
Analyst context for executives and security teams
DET0245 is a MITRE detection strategy tied to spearphishing by voice, where an adversary uses a phone or other voice communication to manipulate a user into granting access. The business issue is not just phishing awareness; it is whether identity, help desk, SOC, and incident response processes can verify suspicious voice-driven access requests before they become an initial-access event.
Executive priority
Treat this as an identity and operational resilience control question. Leaders should ask whether high-risk voice requests—credential help, MFA reset, account recovery, remote access, or privileged access changes—leave auditable evidence and require verification strong enough to resist impersonation. This is also useful for compliance readiness because the organization may need to show how access exceptions and help desk identity checks are approved, logged, and reviewed.
Technical view
The ATT&CK object itself has no official description or detection logic, but it detects T1566.004 Spearphishing Voice under Initial Access. SOC and IR teams should validate that voice-driven access events can be correlated with identity provider activity and endpoint access on Linux, macOS, Windows, and identity provider environments as applicable to the related technique. Priority scenarios include unusual password or MFA reset requests, new device enrollment, account recovery, access grants, or logins shortly after a phone-based interaction.
Likely telemetry
- Help desk or service desk tickets for password resets, MFA resets, account recovery, and access requests
- Call center or telephony metadata where available, including caller ID, queue, agent notes, and recording references if retained
- Identity provider audit logs for authentication, MFA changes, recovery events, device enrollment, group or role changes, and risky sign-in indicators
- Endpoint login and session telemetry from Linux, macOS, and Windows systems where those platforms are in scope
- Privileged access management or access approval records when voice requests affect elevated access
Detection direction
- Validate that help desk voice interactions can be joined to identity provider events by user, time, ticket, requester, and approver.
- Tune for sequences rather than single events: voice contact or ticket creation followed by MFA reset, password reset, device enrollment, new session, or access change.
- Review false positives from legitimate support workflows, onboarding, travel, device replacement, and executive support exceptions.
- Look for blind spots where phone-based identity verification is documented only in free-text notes or not logged in a searchable system.
- Because the detection strategy object does not provide official detection logic, use local workflow evidence and the related T1566.004 context to define organization-specific analytics.
Mitigation priorities
- Require strong identity verification for voice-based access, recovery, and MFA-change requests before granting access.
- Standardize and log help desk approval workflows so SOC and IR teams can reconstruct who requested, approved, and performed access changes.
- Limit and review exceptions for privileged users, executives, administrators, and users with access to sensitive systems.
- Train support staff and users to escalate suspicious voice requests without relying only on caller ID or claimed urgency.
- Test incident response playbooks for voice-driven initial-access scenarios, including rapid review of identity changes and endpoint sessions after a reported call.
Analyst notes and limits
This take is based on the supplied detection strategy metadata and its relationship to T1566.004 Spearphishing Voice. The object has no official MITRE description, detection text, platforms, or tactics of its own, so the practical guidance is intentionally framed around the related technique and conservative defensive validation.
No active exploitation, actor attribution, guaranteed detection coverage, or vendor-specific control effectiveness is implied. Local process data, identity architecture, help desk tooling, telephony retention, and endpoint logging determine whether this behavior can be detected or investigated reliably.
Detection Strategy for Spearphishing Voice across OS platforms
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.004 | Spearphishing Voice Sub-technique | This object detects Spearphishing Voice. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5237b6ef2486… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0245Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.