DET0886: Detection of Spearphishing Voice
This detection strategy matters because voice-based spearphishing is often a pre-incident reconnaissance behavior: an adversary may call employees or trust...
Analyst context for executives and security teams
This detection strategy matters because voice-based spearphishing is often a pre-incident reconnaissance behavior: an adversary may call employees or trusted parties to elicit credentials or other actionable information before technical intrusion activity is visible. For leaders, the practical issue is whether the organization can recognize, report, and investigate suspicious voice requests before they become account compromise or targeting intelligence.
Executive priority
Prioritize this as a human-process and readiness control gap rather than a purely technical alerting problem. Executives should ask whether staff know how to verify urgent voice requests, whether suspected calls are reportable to the SOC or incident response team, and whether the organization can preserve enough evidence to support an investigation. This is relevant to identity risk, help desk procedures, compliance evidence for security awareness, and incident decision-making around potential credential exposure.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics, but it detects T1598.004 Spearphishing Voice, which is associated with reconnaissance on PRE platforms. SOC and IR teams should validate whether suspicious voice-based social engineering reports can be correlated with identity events, help desk activity, credential reset requests, access attempts, and any subsequent suspicious authentication behavior. Detection engineering should focus on workflow coverage: how reports enter the queue, how they are triaged, and how related identity or access telemetry is searched.
Likely telemetry
- User-reported suspicious phone calls or voice messages
- Help desk tickets involving password resets, MFA resets, account recovery, or urgent access requests
- Identity and access management logs around authentication, failed logins, MFA prompts, password changes, and account recovery events
- Security awareness or phishing-reporting records where voice incidents are captured
- Call center or corporate telephony metadata where collection is authorized and available
Detection direction
- Validate that voice-based spearphishing reports are accepted and categorized, not only email phishing reports.
- Correlate reported calls with near-time identity events such as password reset attempts, MFA changes, unusual login failures, or access requests.
- Tune triage to account for false positives from legitimate vendors, recruiters, customers, and internal support calls while still escalating requests involving credentials or sensitive operational details.
- Check for blind spots where telephony, help desk, HR, or executive assistant workflows are outside SOC visibility.
- Use relationship context to treat this as reconnaissance: absence of malware or endpoint alerts does not mean the event is irrelevant.
Mitigation priorities
- Establish clear verification procedures for voice requests involving credentials, MFA, sensitive information, financial actions, or privileged access.
- Train employees and help desk staff to report suspicious voice interactions through a defined channel.
- Harden account recovery, password reset, and MFA reset workflows with out-of-band verification and documented approvals.
- Ensure incident response playbooks include suspected social engineering by phone and define when to rotate credentials or review identity activity.
- Maintain audit-ready evidence of awareness training, reporting procedures, and response actions for suspected voice spearphishing.
Analyst notes and limits
ATT&CK provides only the detection strategy identity and relationship to T1598.004; there is no official description or detection guidance for DET0886 in the supplied fields. The defensive value therefore comes from validating organizational reporting, identity correlation, and incident workflow coverage for voice-based reconnaissance and credential elicitation.
Platforms, tactics, and official detection content are not specified for the detection strategy object. Local telephony availability, privacy rules, help desk processes, and identity logging determine what can actually be detected or investigated. This take does not assert active exploitation, attribution, or guaranteed detection coverage.
Detection of Spearphishing Voice
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1598.004 | Spearphishing Voice Sub-technique | This object detects Spearphishing Voice. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c6d2541e687c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0886Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.