T1598.004: Spearphishing Voice
Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.
All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.[1]
Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information.[2]
Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to tailor pretexts to be even more persuasive and believable for the victim.
Analyst context for executives and security teams
Spearphishing Voice is vishing used during reconnaissance to persuade employees, contractors, or support staff to reveal credentials or other useful targeting information. Its business significance is that it can bypass many email- and malware-focused controls by moving the social engineering conversation to phone calls or callback workflows, where trust, urgency, and weak verification processes often decide the outcome.
Executive priority
Treat this as an identity, help desk, CRM, and third-party support process risk rather than only a user-awareness issue. ATT&CK links this technique to campaigns and groups involving social engineering, telecommunications/BPO targeting, CRM-related compromise, data theft, and extortion contexts. Leaders should ask whether high-risk teams have call-back verification procedures, whether sensitive account actions require strong identity proofing, and whether incident response can connect suspicious calls to later credential, MFA, CRM, or account-access events.
Technical view
This is a PRE-platform reconnaissance sub-technique under Phishing for Information, so detection is likely process- and telemetry-driven rather than endpoint-centric. SOC and IR teams should validate how reports of suspicious calls, callback phishing messages, phone-number spoofing claims, help desk interactions, and credential-disclosure reports are captured and correlated with identity logs, MFA events, CRM/admin activity, and subsequent account changes. Official ATT&CK detection text is not provided, but a related ATT&CK detection strategy, DET0886 Detection of Spearphishing Voice, is mapped to this object.
Likely telemetry
- User reports of suspicious phone calls, callback requests, or impersonation attempts
- Help desk, service desk, and support ticket records involving credential resets, MFA changes, account recovery, or unusual urgency
- Identity provider logs for failed/successful sign-ins, MFA enrollment or reset events, password resets, and new device/session activity after reported calls
- CRM or SaaS administrative logs where sensitive customer or business data may be accessed following social engineering
- Email or messaging records for phishing messages that instruct recipients to call a phone number
Detection direction
- Validate that suspicious voice-phishing reports enter the SOC workflow, not only HR, help desk, or fraud queues.
- Tune correlation between reported calls or callback emails and later identity events such as password resets, MFA changes, new sessions, or access to sensitive SaaS/CRM data.
- Use relationship context to prioritize monitoring around high-risk support, telecom, BPO, CRM, and customer-facing workflows where ATT&CK documents related campaign usage.
- Account for false positives: legitimate vendor, partner, bank, or support calls may resemble vishing unless verification outcome, requested action, and identity events are reviewed together.
- Identify blind spots where phone interactions, help desk actions, and identity telemetry are owned by different teams and cannot be searched together during an incident.
Mitigation priorities
- Prioritize User Training (M1017) focused on voice and callback phishing, including urgency, impersonation, phone-number spoofing, and requests for credentials or MFA actions.
- Establish verification procedures for sensitive requests received by phone, especially credential resets, MFA changes, account recovery, data exports, and privileged support actions.
- Require reporting paths that make suspicious calls visible to SOC/IR teams quickly enough to investigate related identity and SaaS activity.
- Reduce reliance on caller ID or claimed affiliation as proof of identity; use approved out-of-band verification and documented support workflows.
- Review high-risk business processes for audit evidence: training completion, reporting metrics, help desk verification records, and incident handling records.
Analyst notes and limits
ATT&CK describes this as reconnaissance rather than malware delivery: the goal is to elicit information, often credentials or actionable details, through voice communications or callback phishing. The object is mapped as used by campaigns C0027 and C0059 and groups LAPSUS$ and Scattered Spider, which supports prioritizing social-engineering resilience without asserting current activity in any specific environment.
Official ATT&CK detection guidance is not provided in the supplied object, and DET0886 details were not supplied beyond the mapping. Local assessment is required to determine whether telephony, help desk, identity, CRM/SaaS, and user-reporting data are collected, retained, and correlatable. No active exploitation, customer exposure, or guaranteed detection coverage is implied.
Spearphishing Voice
Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.
All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.[1]
Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information.[2]
Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to tailor pretexts to be even more persuasive and believable for the victim.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1598 | Phishing for Information | This object subtechnique of Phishing for Information. |
Groups, software, and campaigns
G1004: LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
C0027: C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]
C0059: Salesforce Data Exfiltration
The Salesforce Data Exfiltration campaign began in October 2024 with financially-motivated threat actor UNC6040 using Spearphishing Voice (vishing) to compromise corporate Salesforce instances for large-scale data theft and extortion. Following the initial data theft, victim organizations received extortion demands from a separate threat actor, UNC6240, who claimed to be the “ShinyHunters” group. The observed infrastructure and TTPs used during the Salesforce Data Exfiltration campaign overlap with those used by threat groups with suspected ties to the broader collective known as "The Com.” These overlaps could plausibly be the result of associated actors operating within the same communities and are not necessarily an indication of a direct operational relationship.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d06f165a12b4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BOA Telephone Scams
Bank of America. (n.d.). How to avoid telephone scams. Retrieved September 8, 2023.
Open source URL -
[2]
Avertium callback phishing
Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023.
Open source URL -
[3]
mitre-attack T1598.004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.