Full Report
Voice-based phishing was at the root of multiple attack sprees Mandiant responded to last year, reflecting a concerning shift in tactics. The post The phone call is the new phishing email appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: Voice-Based Phishing (Vishing)
## Overview
Voice-based phishing, or "vishing," is a high-touch social engineering technique where threat actors place phone calls to employees or IT help desks. The primary purpose is to impersonate trusted individuals or support personnel to harvest credentials, bypass Multi-Factor Authentication (MFA), or trick targets into granting unauthorized network access. In 2025, this technique surged to account for 11% of Mandiant’s investigated intrusions.
## Technical Details
- **Type:** Technique (Social Engineering)
- **Platform:** Cross-platform (Targets human users/administrators to gain access to Windows, macOS, and Cloud environments)
- **Capabilities:** Impersonation, credential harvesting, MFA fatigue/resetting, and help desk manipulation.
- **First Seen:** Historically used for decades; noted for a significant resurgence/surge in 2025.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566 - Phishing]**
- **[T1566.004 - Phishing: Voice Phishing]**
- **[TA0001 - Initial Access]**
- **[T1190 - Exploit Public-Facing Application]** (Often used in tandem with vulnerabilities mentioned in the article)
- **[TA0006 - Credential Access]**
- **[T1621 - Multi-Factor Authentication Request Generation]**
## Functionality
### Core Capabilities
- **Pretexting:** Attackers create a fabricated scenario (e.g., "I'm from the IT department and we see an issue with your account") to manipulate victims.
- **Help Desk Impersonation:** Calling internal support lines to request password resets or MFA device enrollments by claiming to be a locked-out employee.
- **Credential Harvesting:** Verbally soliciting login information or directing users to man-in-the-middle (AiTM) phishing sites during a live call.
### Advanced Features
- **High-Investment Customization:** Unlike "spray-and-pray" email phishing, vishing involves specialized impersonation skills and specific targeting of organizations (e.g., Salesforce customers).
- **MFA Bypass:** Attackers use the live nature of a voice call to coach a victim through "approving" an MFA prompt or providing an OTP (One-Time Password) in real-time.
## Indicators of Compromise
*Note: Vishing is primarily behavioral rather than file-based.*
- **File Hashes:** N/A (Technique-based)
- **Network Indicators:**
- `gainsight[.]com` (Related to targeted customer base)
- Potential AiTM proxy domains meant to mimic corporate login portals (e.g., `okta-idp[.]com` — example only).
- **Behavioral Indicators:**
- Unusual volume of password reset requests originating from a single IP or caller.
- Unexpected MFA enrollment of new "BYOD" devices for existing employees.
- Help desk logs showing callers unable to verify secondary identity markers.
## Associated Threat Actors
- **The Com (Cybercrime collective)**
- **Scattered Spider (UNC3944)**
- **UNC6040**
- **UNC6240**
## Detection Methods
- **Behavioral Detection:** Monitoring for "MFA Fatigue" patterns (multiple denied prompts followed by a single success) and tracking anomalous help desk ticket patterns.
- **Anomaly Detection:** Flagging logins from new devices or unexpected geographic locations immediately following a help desk interaction.
- **Communication Monitoring:** Implementing Caller ID reputation filtering and logging all inbound help desk calls for auditing.
## Mitigation Strategies
- **Identity Verification:** Implementing strict "callback" policies where the help desk calls the employee back on a registered work number to verify identity.
- **Hardware Keys:** Moving toward FIDO2-compliant hardware tokens (e.g., YubiKeys) that are resistant to social engineering and interception.
- **Security Awareness Training:** Specifically training staff and IT help desk personnel on "voice-based" social engineering tactics and high-pressure psychological manipulation.
- **Vulnerability Management:** Patching critical initial access flaws to prevent attackers from using them as fallbacks (e.g., CVE-2025-31324, CVE-2025-61882, CVE-2025-53770).
## Related Tools/Techniques
- **MFA Fatigue/Push Bombing:** Bombarding a user with push notifications until they approve.
- **SMS Phishing (Smishing):** Often used in conjunction with vishing to send malicious links via text.
- **AiTM (Adversary-in-the-Middle):** Proxy tools used to capture tokens in real-time during a vishing engagement.