T1598.004 Spearphishing Voice Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect downstream consequences of vishing: admin-initiated password resets
// immediately followed by MFA method changes — consistent with LAPSUS$/Scattered Spider TTP
let VishingWindow = 4h;
let PasswordResets = AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName in ("Reset user password", "Change user password", "Reset password (by admin)")
| where Category == "UserManagement"
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend InitiatorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatorIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend InitiatorAppName = tostring(InitiatedBy.app.displayName)
// Exclude self-service resets (initiator == target)
| where InitiatorUPN != TargetUser and isnotempty(InitiatorUPN)
| project ResetTime=TimeGenerated, TargetUser, InitiatorUPN, InitiatorIPAddress, InitiatorAppName, ResetOperation=OperationName;
let MFAChanges = AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName in (
    "User registered security info",
    "User deleted security info",
    "Admin registered security info for a user",
    "Admin deleted security info for a user",
    "User changed default security info",
    "User registered all required security info"
  )
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend MFADetail = tostring(TargetResources[0].modifiedProperties)
| project MFATime=TimeGenerated, TargetUser, MFAOperation=OperationName, MFADetail;
// Correlate reset + MFA change within window for same account
PasswordResets
| join kind=inner (MFAChanges) on TargetUser
| where MFATime between (ResetTime .. (ResetTime + VishingWindow))
| extend MinutesBetween = datetime_diff('minute', MFATime, ResetTime)
// Rapid MFA enrollment after reset is highest-fidelity indicator
| extend HighConfidence = MinutesBetween < 30
| project
    ResetTime,
    MFATime,
    MinutesBetween,
    HighConfidence,
    TargetUser,
    InitiatorUPN,
    InitiatorIPAddress,
    InitiatorAppName,
    ResetOperation,
    MFAOperation,
    MFADetail
| sort by HighConfidence desc, ResetTime desc

high severity medium confidence

Data Sources

Identity: User Account Modification Application Log: Application Log Content Azure Active Directory Audit Logs

Required Tables

AuditLogs SigninLogs

False Positives

Legitimate help desk resets for users who forgot passwords and need MFA re-enrollment simultaneously — correlate with open service desk ticket for the account
New employee onboarding: IT staff reset initial temporary password and assist with MFA enrollment in the same session
Scheduled bulk account management operations during maintenance windows where multiple resets occur for role transitions or system migrations
Automated provisioning workflows (Okta Workflows, Microsoft Lifecycle Workflows) where service principals perform password initialization followed by MFA policy enforcement

Splunk

spl

// Detect admin-initiated password resets and anomalous help desk activity
// using Windows Security Event ID 4724 and O365 audit logs
(
  index=wineventlog sourcetype="WinEventLog:Security" EventCode=4724
  | eval ResetSource="AD"
  | eval InitiatorAccount=SubjectUserName
  | eval TargetAccount=TargetUserName
  | eval SourceIP=IpAddress
)
OR
(
  index=o365 sourcetype="o365:management:activity"
    Operation IN ("Reset user password", "Change user password", "Set user password")
  | eval ResetSource="O365"
  | eval InitiatorAccount=coalesce(UserId, Actor{}.ID)
  | eval TargetAccount=coalesce(ObjectId, ModifiedProperties{}.NewValue)
  | eval SourceIP=ClientIP
)
| where InitiatorAccount != TargetAccount
| where isnotnull(InitiatorAccount) AND InitiatorAccount != ""
| bin _time span=1h
| stats
    count as ResetCount,
    dc(TargetAccount) as UniqueTargets,
    values(TargetAccount) as AffectedAccounts,
    values(SourceIP) as SourceIPs,
    values(ResetSource) as Sources,
    earliest(_time) as FirstReset,
    latest(_time) as LastReset
    by InitiatorAccount, _time
| eval TimespanMinutes=round((LastReset - FirstReset) / 60, 0)
| eval RiskScore=case(
    UniqueTargets >= 5, "critical",
    UniqueTargets >= 3, "high",
    UniqueTargets >= 2, "medium",
    match(InitiatorAccount, "(?i)(helpdesk|servicedesk|itadmin|support|resetbot)") AND UniqueTargets >= 1, "medium",
    true(), "low"
  )
| where UniqueTargets >= 2 OR (match(InitiatorAccount, "(?i)(helpdesk|servicedesk|itadmin|support)") AND ResetCount >= 1)
| sort - UniqueTargets
| table InitiatorAccount, RiskScore, ResetCount, UniqueTargets, AffectedAccounts, SourceIPs, Sources, FirstReset, LastReset, TimespanMinutes

high severity medium confidence

Data Sources

Identity: User Account Modification Application Log: Application Log Content Windows Security Event Log Microsoft 365 Audit Logs

Required Sourcetypes

WinEventLog:Security o365:management:activity

False Positives

Help desk staff performing legitimate password resets for users locked out during peak hours (Monday mornings, post-holiday return)
Automated provisioning systems that reset passwords during account lifecycle events such as new hire onboarding batches or role terminations
IT administrators performing bulk resets during security incident response (forced enterprise-wide password rotation after a breach)
Password expiration workflows in organizations without SSPR where users route reset requests through a shared helpdesk account

Elastic Security (EQL)

eql

// T1598.004 — Spearphishing Voice (Vishing)
any where event.dataset : "azure.auditlogs"
  and azure.auditlogs.operation_name in (
    "Reset password (by admin)", "Reset user password",
    "Admin reset user password", "Self-service password reset"
  )
  or (azure.auditlogs.operation_name : (
    "User registered security info", "User deleted security info"
  ))

high severity medium confidence

Data Sources

Azure Active Directory Microsoft 365

Required Tables

logs-azure.* logs-azure.signinlogs-*

False Positives

Legitimate help desk resets for users who forgot passwords and need MFA re-enrollment simultaneously — correlate with open service desk ticket for the account
New employee onboarding: IT staff reset initial temporary password and assist with MFA enrollment in the same session
Scheduled bulk account management operations during maintenance windows where multiple resets occur for role transitions or system migrations
Automated provisioning workflows (Okta Workflows, Microsoft Lifecycle Workflows) where service principals perform password initialization followed by MFA policy enforcement

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("operationname") ILIKE '%reset password%' OR LOWER("operationname") ILIKE '%reset user password%' OR LOWER("operationname") ILIKE '%admin reset%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("operationname") ILIKE '%reset password%' OR LOWER("operationname") ILIKE '%reset user password%' OR LOWER("operationname") ILIKE '%admin reset%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Legitimate help desk resets for users who forgot passwords and need MFA re-enrollment simultaneously — correlate with open service desk ticket for the account
New employee onboarding: IT staff reset initial temporary password and assist with MFA enrollment in the same session
Scheduled bulk account management operations during maintenance windows where multiple resets occur for role transitions or system migrations
Automated provisioning workflows (Okta Workflows, Microsoft Lifecycle Workflows) where service principals perform password initialization followed by MFA policy enforcement

Sumo Logic CSE

sql

_sourceCategory=*azure* OR _sourceCategory=*aad*
| json auto
| where isNotNull(userPrincipalName)
| count by userPrincipalName, ipAddress, appDisplayName
| sort by _count desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

azure/activedirectory azure/signinlogs

False Positives

Legitimate help desk resets for users who forgot passwords and need MFA re-enrollment simultaneously — correlate with open service desk ticket for the account
New employee onboarding: IT staff reset initial temporary password and assist with MFA enrollment in the same session
Scheduled bulk account management operations during maintenance windows where multiple resets occur for role transitions or system migrations
Automated provisioning workflows (Okta Workflows, Microsoft Lifecycle Workflows) where service principals perform password initialization followed by MFA policy enforcement

Google Chronicle / SecOps

yaral

rule t1598_004_spearphishing_voice {
  meta:
    author = "df00tech"
    description = "Detects Spearphishing Voice (T1598.004)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1598.004"
    confidence = "medium"
    severity = "high"
  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.principal.user.userid != ""
  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

NETWORK_HTTP NETWORK_CONNECTION

False Positives

Legitimate help desk resets for users who forgot passwords and need MFA re-enrollment simultaneously — correlate with open service desk ticket for the account
New employee onboarding: IT staff reset initial temporary password and assist with MFA enrollment in the same session
Scheduled bulk account management operations during maintenance windows where multiple resets occur for role transitions or system migrations
Automated provisioning workflows (Okta Workflows, Microsoft Lifecycle Workflows) where service principals perform password initialization followed by MFA policy enforcement

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /python|curl|wget|nmap|masscan/i
| TechniqueLabel := "T1598.004 - Reconnaissance"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

high severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

UserLogon ProcessRollup2

False Positives

Legitimate help desk resets for users who forgot passwords and need MFA re-enrollment simultaneously — correlate with open service desk ticket for the account
New employee onboarding: IT staff reset initial temporary password and assist with MFA enrollment in the same session
Scheduled bulk account management operations during maintenance windows where multiple resets occur for role transitions or system migrations
Automated provisioning workflows (Okta Workflows, Microsoft Lifecycle Workflows) where service principals perform password initialization followed by MFA policy enforcement

Spearphishing Voice

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections