Detect Spearphishing Voice in Microsoft Sentinel
Adversaries may use voice communications (phone calls, VoIP) to elicit sensitive information from targets. Known as voice phishing or 'vishing', adversaries pose as trusted entities—IT support, executive staff, financial institutions, or business partners—to convince victims to divulge credentials, MFA codes, or other sensitive data. Callback phishing is a variant where malicious emails direct victims to call an adversary-controlled phone number. Threat actors including LAPSUS$ and Scattered Spider have weaponized vishing to compromise help desk personnel into resetting privileged account credentials and bypassing MFA, enabling subsequent account takeover without any malware or exploit.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1598 Phishing for Information
- Sub-technique
- T1598.004 Spearphishing Voice
- Canonical reference
- https://attack.mitre.org/techniques/T1598/004/
KQL Detection Query
// Detect downstream consequences of vishing: admin-initiated password resets
// immediately followed by MFA method changes — consistent with LAPSUS$/Scattered Spider TTP
let VishingWindow = 4h;
let PasswordResets = AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName in ("Reset user password", "Change user password", "Reset password (by admin)")
| where Category == "UserManagement"
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend InitiatorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatorIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend InitiatorAppName = tostring(InitiatedBy.app.displayName)
// Exclude self-service resets (initiator == target)
| where InitiatorUPN != TargetUser and isnotempty(InitiatorUPN)
| project ResetTime=TimeGenerated, TargetUser, InitiatorUPN, InitiatorIPAddress, InitiatorAppName, ResetOperation=OperationName;
let MFAChanges = AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName in (
"User registered security info",
"User deleted security info",
"Admin registered security info for a user",
"Admin deleted security info for a user",
"User changed default security info",
"User registered all required security info"
)
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend MFADetail = tostring(TargetResources[0].modifiedProperties)
| project MFATime=TimeGenerated, TargetUser, MFAOperation=OperationName, MFADetail;
// Correlate reset + MFA change within window for same account
PasswordResets
| join kind=inner (MFAChanges) on TargetUser
| where MFATime between (ResetTime .. (ResetTime + VishingWindow))
| extend MinutesBetween = datetime_diff('minute', MFATime, ResetTime)
// Rapid MFA enrollment after reset is highest-fidelity indicator
| extend HighConfidence = MinutesBetween < 30
| project
ResetTime,
MFATime,
MinutesBetween,
HighConfidence,
TargetUser,
InitiatorUPN,
InitiatorIPAddress,
InitiatorAppName,
ResetOperation,
MFAOperation,
MFADetail
| sort by HighConfidence desc, ResetTime descDetects downstream consequences of successful vishing attacks targeting IT help desks. Correlates admin-initiated password resets in Azure AD (AuditLogs) with MFA method registration or modification for the same account within a 4-hour window. This pattern is the primary TTP of LAPSUS$ (called help desks to reset privileged accounts) and Scattered Spider (compelled employees to navigate to fake login portals). Self-service resets are excluded. MinutesBetween < 30 is flagged as HighConfidence, indicating an adversary rapidly enrolling their own authenticator device immediately after obtaining the reset.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate help desk resets for users who forgot passwords and need MFA re-enrollment simultaneously — correlate with open service desk ticket for the account
- New employee onboarding: IT staff reset initial temporary password and assist with MFA enrollment in the same session
- Scheduled bulk account management operations during maintenance windows where multiple resets occur for role transitions or system migrations
- Automated provisioning workflows (Okta Workflows, Microsoft Lifecycle Workflows) where service principals perform password initialization followed by MFA policy enforcement
Other platforms for T1598.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Help Desk Password Reset via Azure AD PowerShell (Event Generation)
Expected signal: Azure AD AuditLogs within 2-5 minutes: OperationName='Reset user password', Category='UserManagement', Result='success', InitiatedBy.user.userPrincipalName=<executing admin UPN>, InitiatedBy.user.ipAddress=<source IP>, TargetResources[0].userPrincipalName=$TestUPN. Visible in Entra ID portal under Monitor > Audit Logs.
- Test 2Simulate Post-Vishing MFA Re-enrollment (Microsoft Graph API)
Expected signal: Azure AD AuditLogs: OperationName='User registered security info', Category='Authentication', TargetResources[0].userPrincipalName=$TestUPN. When this event occurs within 4 hours of the reset event from Atomic Test 1 for the same account, the KQL correlation query produces a match with MinutesBetween populated.
- Test 3On-Premises AD Admin Password Reset (Security Event ID 4724)
Expected signal: Windows Security Event Log on Domain Controller: EventID=4724 ('An attempt was made to reset an account's password'), SubjectUserName=<executing admin>, SubjectDomainName=<domain>, TargetUserName=$TestUser, TargetDomainName=<domain>. Visible in Event Viewer > Windows Logs > Security on the DC. Also generates EventID=4723 if 'change password' semantics apply.
- Test 4Callback Phishing Email Delivery Simulation (Exchange / O365)
Expected signal: Microsoft 365 Unified Audit Log: EmailEvents record with Subject containing 'Urgent' and body containing '+1 (555) 867-5309'. Exchange message tracking log entry with MessageId, SenderAddress, RecipientAddress, and delivery timestamp. If Microsoft Defender for Office 365 Safe Links/Safe Attachments is active, additional ZAP or detonation telemetry may appear.
References (9)
- https://attack.mitre.org/techniques/T1598/004/
- https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing
- https://business.bofa.com/en-us/content/what-is-vishing.html
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
- https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
Unlock Pro Content
Get the full detection package for T1598.004 including response playbook, investigation guide, and atomic red team tests.