T1598.004 Splunk · SPL

Detect Spearphishing Voice in Splunk

Adversaries may use voice communications (phone calls, VoIP) to elicit sensitive information from targets. Known as voice phishing or 'vishing', adversaries pose as trusted entities—IT support, executive staff, financial institutions, or business partners—to convince victims to divulge credentials, MFA codes, or other sensitive data. Callback phishing is a variant where malicious emails direct victims to call an adversary-controlled phone number. Threat actors including LAPSUS$ and Scattered Spider have weaponized vishing to compromise help desk personnel into resetting privileged account credentials and bypassing MFA, enabling subsequent account takeover without any malware or exploit.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1598 Phishing for Information
Sub-technique
T1598.004 Spearphishing Voice
Canonical reference
https://attack.mitre.org/techniques/T1598/004/

SPL Detection Query

Splunk (SPL)
spl 
// Detect admin-initiated password resets and anomalous help desk activity
// using Windows Security Event ID 4724 and O365 audit logs
(
  index=wineventlog sourcetype="WinEventLog:Security" EventCode=4724
  | eval ResetSource="AD"
  | eval InitiatorAccount=SubjectUserName
  | eval TargetAccount=TargetUserName
  | eval SourceIP=IpAddress
)
OR
(
  index=o365 sourcetype="o365:management:activity"
    Operation IN ("Reset user password", "Change user password", "Set user password")
  | eval ResetSource="O365"
  | eval InitiatorAccount=coalesce(UserId, Actor{}.ID)
  | eval TargetAccount=coalesce(ObjectId, ModifiedProperties{}.NewValue)
  | eval SourceIP=ClientIP
)
| where InitiatorAccount != TargetAccount
| where isnotnull(InitiatorAccount) AND InitiatorAccount != ""
| bin _time span=1h
| stats
    count as ResetCount,
    dc(TargetAccount) as UniqueTargets,
    values(TargetAccount) as AffectedAccounts,
    values(SourceIP) as SourceIPs,
    values(ResetSource) as Sources,
    earliest(_time) as FirstReset,
    latest(_time) as LastReset
    by InitiatorAccount, _time
| eval TimespanMinutes=round((LastReset - FirstReset) / 60, 0)
| eval RiskScore=case(
    UniqueTargets >= 5, "critical",
    UniqueTargets >= 3, "high",
    UniqueTargets >= 2, "medium",
    match(InitiatorAccount, "(?i)(helpdesk|servicedesk|itadmin|support|resetbot)") AND UniqueTargets >= 1, "medium",
    true(), "low"
  )
| where UniqueTargets >= 2 OR (match(InitiatorAccount, "(?i)(helpdesk|servicedesk|itadmin|support)") AND ResetCount >= 1)
| sort - UniqueTargets
| table InitiatorAccount, RiskScore, ResetCount, UniqueTargets, AffectedAccounts, SourceIPs, Sources, FirstReset, LastReset, TimespanMinutes
high severity medium confidence

Detects suspicious admin-initiated password reset patterns indicative of a vishing-compromised help desk operator. Uses Windows Security Event ID 4724 (admin password reset attempt) for on-premises Active Directory and O365 audit logs for cloud identity. Aggregates resets per initiator per hour, calculates a risk score based on volume, and flags known help desk account names performing any resets for investigation. Multiple accounts reset by the same initiator within an hour is the primary signal of a vishing-driven bulk reset campaign.

Data Sources

Identity: User Account ModificationApplication Log: Application Log ContentWindows Security Event LogMicrosoft 365 Audit Logs

Required Sourcetypes

WinEventLog:Securityo365:management:activity

False Positives & Tuning

  • Help desk staff performing legitimate password resets for users locked out during peak hours (Monday mornings, post-holiday return)
  • Automated provisioning systems that reset passwords during account lifecycle events such as new hire onboarding batches or role terminations
  • IT administrators performing bulk resets during security incident response (forced enterprise-wide password rotation after a breach)
  • Password expiration workflows in organizations without SSPR where users route reset requests through a shared helpdesk account
Download portable Sigma rule (.yml)

Other platforms for T1598.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Help Desk Password Reset via Azure AD PowerShell (Event Generation)

    Expected signal: Azure AD AuditLogs within 2-5 minutes: OperationName='Reset user password', Category='UserManagement', Result='success', InitiatedBy.user.userPrincipalName=<executing admin UPN>, InitiatedBy.user.ipAddress=<source IP>, TargetResources[0].userPrincipalName=$TestUPN. Visible in Entra ID portal under Monitor > Audit Logs.

  2. Test 2Simulate Post-Vishing MFA Re-enrollment (Microsoft Graph API)

    Expected signal: Azure AD AuditLogs: OperationName='User registered security info', Category='Authentication', TargetResources[0].userPrincipalName=$TestUPN. When this event occurs within 4 hours of the reset event from Atomic Test 1 for the same account, the KQL correlation query produces a match with MinutesBetween populated.

  3. Test 3On-Premises AD Admin Password Reset (Security Event ID 4724)

    Expected signal: Windows Security Event Log on Domain Controller: EventID=4724 ('An attempt was made to reset an account's password'), SubjectUserName=<executing admin>, SubjectDomainName=<domain>, TargetUserName=$TestUser, TargetDomainName=<domain>. Visible in Event Viewer > Windows Logs > Security on the DC. Also generates EventID=4723 if 'change password' semantics apply.

  4. Test 4Callback Phishing Email Delivery Simulation (Exchange / O365)

    Expected signal: Microsoft 365 Unified Audit Log: EmailEvents record with Subject containing 'Urgent' and body containing '+1 (555) 867-5309'. Exchange message tracking log entry with MessageId, SenderAddress, RecipientAddress, and delivery timestamp. If Microsoft Defender for Office 365 Safe Links/Safe Attachments is active, additional ZAP or detonation telemetry may appear.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1598.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1598Phishing for Information

Related Sub-techniques

T1598.001Spearphishing ServiceT1598.002Spearphishing AttachmentT1598.003Spearphishing Link

Related Techniques

T1598Phishing for InformationT1598.001Spearphishing ServiceT1598.003Spearphishing LinkT1656ImpersonationT1078Valid AccountsT1078.004Cloud AccountsT1621Multi-Factor Authentication Request GenerationT1111Multi-Factor Authentication InterceptionT1566.004Spearphishing VoiceT1539Steal Web Session Cookie

Same Tactic: Reconnaissance

Popular Detections