Detect Spearphishing Voice in Microsoft Sentinel
Adversaries use voice communications (phone calls, VoIP) to socially engineer victims into granting system access, installing remote management tools (RMM), executing malicious scripts, or approving fraudulent MFA prompts. The attacker typically impersonates IT support or a trusted authority, creating urgency to bypass the victim's critical thinking. Unlike phishing email techniques, vishing leaves no direct technical artifact from the call itself — detection must focus on the downstream behaviors: abnormal RMM tool installation, suspicious process chains spawned during or after remote sessions, and MFA anomaly patterns. Storm-1811 is a documented threat group using this technique, directing victims to open Quick Assist (a built-in Windows remote desktop tool) to hand over system control to the attacker posing as Microsoft or internal IT support.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1566 Phishing
- Sub-technique
- T1566.004 Spearphishing Voice
- Canonical reference
- https://attack.mitre.org/techniques/T1566/004/
KQL Detection Query
let RMMProcesses = dynamic([
"anydesk.exe", "teamviewer.exe", "teamviewer_service.exe",
"screenconnect.exe", "connectwisecontrol.exe", "quickassist.exe",
"remotepc.exe", "logmeinrescue.exe", "atera_agent.exe", "atera.exe",
"splashtop.exe", "supremo.exe", "ultraviewer.exe", "rustdesk.exe",
"ammyyadmin.exe", "getscreen.exe", "zoho_assist.exe",
"msra.exe", "fixmeit.exe", "dwagent.exe"
]);
let SuspiciousChildren = dynamic([
"powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
"bitsadmin.exe", "msiexec.exe", "curl.exe", "wget.exe"
]);
let SuspiciousCmdPatterns = dynamic([
"-EncodedCommand", "-enc ", "Invoke-WebRequest", "DownloadString",
"DownloadFile", "IEX(", "-ExecutionPolicy Bypass", "-WindowStyle Hidden",
"Start-BitsTransfer", "certutil -urlcache", "Net.WebClient"
]);
// Branch 1: RMM tool spawning suspicious interpreter or LOLBin (key vishing post-exploitation pattern)
let RMMSpawningSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (RMMProcesses)
| where FileName has_any (SuspiciousChildren)
| extend DetectionBranch = "RMM_Spawned_Suspicious_Child"
| extend HasSuspiciousCmd = ProcessCommandLine has_any (SuspiciousCmdPatterns)
| extend RiskScore = 3 + toint(HasSuspiciousCmd);
// Branch 2: RMM tool process with a suspicious command line (direct download/execution via RMM session)
let RMMWithSuspiciousCmd = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (RMMProcesses)
| where ProcessCommandLine has_any (SuspiciousCmdPatterns)
| extend DetectionBranch = "RMM_Process_Suspicious_Cmdline"
| extend HasSuspiciousCmd = true
| extend RiskScore = 2;
// Branch 3: Quick Assist (Storm-1811 specific) spawning any child process
let QuickAssistChildren = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "quickassist.exe" or InitiatingProcessFileName =~ "msra.exe"
| where FileName has_any (SuspiciousChildren)
| extend DetectionBranch = "QuickAssist_Child_Execution"
| extend HasSuspiciousCmd = ProcessCommandLine has_any (SuspiciousCmdPatterns)
| extend RiskScore = 4 + toint(HasSuspiciousCmd);
union RMMSpawningSuspicious, RMMWithSuspiciousCmd, QuickAssistChildren
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch, HasSuspiciousCmd, RiskScore
| sort by RiskScore desc, Timestamp descDetects post-vishing activity using Microsoft Defender for Endpoint DeviceProcessEvents. Focuses on three behavioral patterns that follow a successful spearphishing voice attack: (1) RMM tools (AnyDesk, TeamViewer, ScreenConnect, Quick Assist, etc.) spawning suspicious child processes like PowerShell, cmd, wscript, or LOLBins; (2) RMM tool processes executing with suspicious command line arguments indicating download cradles or encoded payloads; (3) Quick Assist specifically (used by Storm-1811) spawning any child process. Risk scoring prioritizes alerts with multiple indicators. The detection cannot observe the voice call itself and targets downstream technical behaviors.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT helpdesk sessions where support staff use Quick Assist or AnyDesk to assist users and then run PowerShell diagnostic scripts
- Managed Service Providers (MSPs) running RMM agents (Atera, ConnectWise, Splashtop) that legitimately execute scripts for patch management or software deployment
- Software asset management tools that deploy or update packages via RMM-like processes during business hours
- IT onboarding workflows where AnyDesk or TeamViewer is used to configure new endpoints and install baseline tooling via scripted deployment
- Vendor-initiated remote support sessions for enterprise software that involve running diagnostic PowerShell commands
Other platforms for T1566.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Silent AnyDesk Installation (Vishing Initial Access Simulation)
Expected signal: Sysmon Event ID 11 (File Create): AnyDesk.exe written to %TEMP%. Sysmon Event ID 1 (Process Create): AnyDesk.exe spawned with --portable argument, parent process is PowerShell. Sysmon Event ID 3 (Network Connection): Outbound connection to download.anydesk.com (185.34.32.x) on port 443 for download, and to AnyDesk relay servers on port 7070 or 443 after launch. Windows Security Event 4688 if command line auditing enabled.
- Test 2Quick Assist Session Initiation with Child PowerShell (Storm-1811 TTP)
Expected signal: Sysmon Event ID 1 (Process Create): quickassist.exe started. Sysmon Event ID 1 (Process Create): powershell.exe started with parent process being the test script's shell (simulating quick assist parent). The detection query branch 'QuickAssist_Child_Execution' specifically looks for Quick Assist spawning PowerShell. Microsoft-Windows-RemoteAssistance/Operational Event ID 1 logged when Quick Assist initializes.
- Test 3Post-Vishing Script Delivery via RMM Session Simulation
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with -ExecutionPolicy Bypass, -WindowStyle Hidden, and Net.WebClient/DownloadString in CommandLine. Sysmon Event ID 3 (Network Connection): attempt to connect to 127.0.0.1:9999 (will fail — no listener). Sysmon Event ID 11 (File Create): vishing-stage2-test.txt written to %TEMP%. PowerShell ScriptBlock Log Event ID 4104: full deobfuscated script content captured.
- Test 4Callback Phishing URL Pattern Execution (Luna Moth Simulation)
Expected signal: Sysmon Event ID 1 (Process Create): cmd.exe spawning msiexec.exe with HTTP URL argument. Sysmon Event ID 3 (Network Connection): msiexec.exe attempting outbound HTTP connection to 127.0.0.1:9998 (will fail). Windows Security Event 4688: msiexec.exe process creation with URL in command line if command line auditing enabled. The msiexec with HTTP URL pattern is characteristic of vishing-directed software installation.
References (10)
- https://attack.mitre.org/techniques/T1566/004/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/
- https://blog.sygnia.co/luna-moth-false-subscription-scams
- https://www.cisa.gov/uscert/ncas/alerts/aa23-025a
- https://www.proofpoint.com/us/threat-reference/vishing
- https://www.redcanary.com/blog/storm-1811/
- https://www.rapid7.com/blog/post/2024/05/23/email-bombing-and-vishing-attacks-deploying-black-basta-ransomware/
- https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/quick-assist
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.004/T1566.004.md
Unlock Pro Content
Get the full detection package for T1566.004 including response playbook, investigation guide, and atomic red team tests.