Detect Spearphishing Voice in Elastic Security
Adversaries may use voice communications (phone calls, VoIP) to elicit sensitive information from targets. Known as voice phishing or 'vishing', adversaries pose as trusted entities—IT support, executive staff, financial institutions, or business partners—to convince victims to divulge credentials, MFA codes, or other sensitive data. Callback phishing is a variant where malicious emails direct victims to call an adversary-controlled phone number. Threat actors including LAPSUS$ and Scattered Spider have weaponized vishing to compromise help desk personnel into resetting privileged account credentials and bypassing MFA, enabling subsequent account takeover without any malware or exploit.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1598 Phishing for Information
- Sub-technique
- T1598.004 Spearphishing Voice
- Canonical reference
- https://attack.mitre.org/techniques/T1598/004/
Elastic Detection Query
// T1598.004 — Spearphishing Voice (Vishing)
any where event.dataset : "azure.auditlogs"
and azure.auditlogs.operation_name in (
"Reset password (by admin)", "Reset user password",
"Admin reset user password", "Self-service password reset"
)
or (azure.auditlogs.operation_name : (
"User registered security info", "User deleted security info"
))Elastic EQL detection for Spearphishing Voice (T1598.004). Translates the Microsoft Sentinel KQL logic to Elastic Common Schema (ECS) field mappings for use in Elastic SIEM. Targets the same behavioral indicators across process creation, network, and authentication event types.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate help desk resets for users who forgot passwords and need MFA re-enrollment simultaneously — correlate with open service desk ticket for the account
- New employee onboarding: IT staff reset initial temporary password and assist with MFA enrollment in the same session
- Scheduled bulk account management operations during maintenance windows where multiple resets occur for role transitions or system migrations
- Automated provisioning workflows (Okta Workflows, Microsoft Lifecycle Workflows) where service principals perform password initialization followed by MFA policy enforcement
Other platforms for T1598.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Help Desk Password Reset via Azure AD PowerShell (Event Generation)
Expected signal: Azure AD AuditLogs within 2-5 minutes: OperationName='Reset user password', Category='UserManagement', Result='success', InitiatedBy.user.userPrincipalName=<executing admin UPN>, InitiatedBy.user.ipAddress=<source IP>, TargetResources[0].userPrincipalName=$TestUPN. Visible in Entra ID portal under Monitor > Audit Logs.
- Test 2Simulate Post-Vishing MFA Re-enrollment (Microsoft Graph API)
Expected signal: Azure AD AuditLogs: OperationName='User registered security info', Category='Authentication', TargetResources[0].userPrincipalName=$TestUPN. When this event occurs within 4 hours of the reset event from Atomic Test 1 for the same account, the KQL correlation query produces a match with MinutesBetween populated.
- Test 3On-Premises AD Admin Password Reset (Security Event ID 4724)
Expected signal: Windows Security Event Log on Domain Controller: EventID=4724 ('An attempt was made to reset an account's password'), SubjectUserName=<executing admin>, SubjectDomainName=<domain>, TargetUserName=$TestUser, TargetDomainName=<domain>. Visible in Event Viewer > Windows Logs > Security on the DC. Also generates EventID=4723 if 'change password' semantics apply.
- Test 4Callback Phishing Email Delivery Simulation (Exchange / O365)
Expected signal: Microsoft 365 Unified Audit Log: EmailEvents record with Subject containing 'Urgent' and body containing '+1 (555) 867-5309'. Exchange message tracking log entry with MessageId, SenderAddress, RecipientAddress, and delivery timestamp. If Microsoft Defender for Office 365 Safe Links/Safe Attachments is active, additional ZAP or detonation telemetry may appear.
References (9)
- https://attack.mitre.org/techniques/T1598/004/
- https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing
- https://business.bofa.com/en-us/content/what-is-vishing.html
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
- https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
Unlock Pro Content
Get the full detection package for T1598.004 including response playbook, investigation guide, and atomic red team tests.