Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1566.004: Spearphishing Voice

Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on User Execution for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,[1][2] or install adversary-accessible remote management tools (Remote Access Tools) onto their computer.[3]

Adversaries may also combine voice phishing with Multi-Factor Authentication Request Generation in order to trick users into divulging MFA credentials or accepting authentication prompts.[4]

EnterpriseT1566.004Sub-techniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Spearphishing Voice matters because it moves the initial-access problem from inbox filtering into human decision-making over phone or voice channels. The business risk is not just a bad call; it is a user being pressured to visit a malicious URL, install adversary-accessible remote management software, or approve/divulge MFA credentials, creating a path into Windows, macOS, Linux, or identity-provider environments.

Executive priority

Treat this as an identity, help desk, and workforce-readiness risk, not only an email security issue. Leaders should ask whether employees know how to verify urgent voice requests, whether MFA prompt abuse is monitored, whether remote management tool use is governed, and whether incident responders can reconstruct a callback-phishing event from voice, identity, endpoint, and help desk evidence. Audit value will often come from documented user training, reporting workflows, MFA evidence, and remote access control records.

Technical view

MITRE lists this sub-technique under Initial Access and notes no official detection text, but a related detection strategy DET0245 exists. SOC and IR teams should validate cross-source correlation for voice-driven phishing: phishing messages or callbacks that lead to URL visits, downloads, remote access tool installation, or MFA request generation. Detection engineering should not rely only on malicious attachments because this technique may avoid direct malware delivery and instead manipulate the user into taking access-enabling actions.

Likely telemetry

  • Identity provider sign-in logs, MFA prompt/approval events, and anomalous authentication context
  • Endpoint process, download, browser, and remote access tool installation or execution events on Windows, macOS, and Linux
  • Email or messaging records that contain callback instructions, phone numbers, URLs, or urgency-themed lures where available
  • Help desk tickets, user reports, and security awareness reporting channels tied to suspicious calls
  • Telephony or call-center records where the organization collects them and privacy/legal constraints allow

Detection direction

  • Validate whether DET0245-style coverage is implemented across operating systems and identity-provider telemetry rather than only email gateway alerts.
  • Tune for sequences: suspicious message or user report, voice callback, web visit/download, remote access tool activity, and MFA request/approval anomalies.
  • Account for false positives from legitimate help desk calls, approved remote support, and normal MFA prompts by requiring context such as unusual timing, new remote tools, atypical sign-in properties, or mismatched user narrative.
  • Close blind spots where phone calls, help desk interactions, MFA events, and endpoint activity are owned by different teams and are not correlated during triage.
  • Use relationship context cautiously: ATT&CK links this behavior to campaign/group objects, but local detections should be based on observed behavior, not assumed attribution.

Mitigation priorities

  • Prioritize M1017 User Training focused on voice social engineering, urgency tactics, callback verification, suspicious MFA prompts, and reporting suspicious calls.
  • Reinforce help desk and remote support procedures so users can independently verify callers before installing tools, visiting URLs, or granting access.
  • Review identity-provider controls and response playbooks for MFA request generation scenarios, including how users report unexpected prompts.
  • Maintain governance over remote access and remote management tools so unauthorized installation or use can be identified quickly.
  • Test incident response collection paths for user reports, endpoint evidence, identity logs, and any available telephony/help desk records.
Analyst notes and limits

This technique is a sub-technique of Phishing (T1566) and is specifically voice-mediated. The supplied ATT&CK relationships include User Training as a mitigation, DET0245 as a detection strategy, and use relationships to C0027 and Storm-1811. External references cited by ATT&CK include CISA guidance on malicious use of remote monitoring and management software and vendor research on vishing/callback phishing themes.

MITRE provides no official detection procedure in the supplied object, so detection recommendations are derived from the technique description, platforms, tactics, and relationships. The object supports initial-access risk framing but does not by itself prove active exploitation against any specific organization, guarantee detection coverage, or establish attribution in a local incident.

Official MITRE ATT&CK definition

Spearphishing Voice

Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on User Execution for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,[1][2] or install adversary-accessible remote management tools (Remote Access Tools) onto their computer.[3]

Adversaries may also combine voice phishing with Multi-Factor Authentication Request Generation in order to trick users into divulging MFA credentials or accepting authentication prompts.[4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1566 Phishing This object subtechnique of Phishing.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1046: Storm-1811

Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]

Campaign Enterprise

C0027: C0027

C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1017: User Training Enterprise detects · Detection Strategy DET0245: Detection Strategy for Spearphishing Voice across OS platforms Enterprise uses · Group G1046: Storm-1811 Enterprise subtechnique of · Technique T1566: Phishing Enterprise uses · Campaign C0027: C0027 Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
5b47fb32afdba05c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 5b47fb32afdb…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    sygnia Luna Month

    Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.

    Open source URL
  2. [2]
    CISA Remote Monitoring and Management Software

    CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023.

    Open source URL
  3. [3]
    Unit42 Luna Moth

    Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.

    Open source URL
  4. [4]
    Proofpoint Vishing

    Proofpoint. (n.d.). What Is Vishing?. Retrieved September 8, 2023.

    Open source URL
  5. [5]
    mitre-attack T1566.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use