Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Infra-VishingHelpdeskDomains.

Upgrade to Pro
THREAT-Infra-VishingHelpdeskDomains

Impersonation Domains Acquired to Support Voice Phishing Helpdesk Social Engineering

Resource Development Last updated:

Ahead of a voice-phishing (vishing) campaign, actors such as Scattered Spider register a small cluster of domains that impersonate the target organization's IT helpdesk, SSO portal, or MFA self-service enrollment page (e.g., victimcorp-helpdesk[.]com, victimcorp-sso-verify[.]com, victimcorp-okta[.]net). These domains are stood up shortly before the actor calls or SMS-messages an employee — typically posing as IT support — and directs them to the lookalike page to 'verify their identity' or 're-enroll MFA,' harvesting credentials and a live MFA/push-approval in the process. Because the domain is freshly registered specifically for this operation, it has no browsing history in the target environment prior to the campaign, making the very first DNS query or HTTP request to it a high-value signal. Detection focuses on three pillars: (1) DNS/HTTP traffic to domains combining the organization's brand name with helpdesk/SSO/MFA-themed keywords, (2) first-time-ever resolution of such a domain within the environment (no prior 30-day history), and (3) close temporal correlation between a phone-based social-engineering contact recorded in the ticketing/telephony system and a subsequent authentication event or password/MFA reset for the same user.

What is THREAT-Infra-VishingHelpdeskDomains Impersonation Domains Acquired to Support Voice Phishing Helpdesk Social Engineering?

Impersonation Domains Acquired to Support Voice Phishing Helpdesk Social Engineering (THREAT-Infra-VishingHelpdeskDomains) maps to the Resource Development tactic — the adversary is trying to establish resources they can use to support operations in MITRE ATT&CK.

This page provides production-ready detection logic for Impersonation Domains Acquired to Support Voice Phishing Helpdesk Social Engineering, covering the data sources and telemetry it touches: Network Traffic: DNS Resolution, DNS Analytics connector. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Resource Development
Microsoft Sentinel / Defender
kusto
// THREAT-Infra-VishingHelpdeskDomains (T1583.001) - Impersonation domains for helpdesk/SSO vishing social engineering
// Pillar 1: DNS queries to domains combining org brand + helpdesk/SSO/MFA keywords
let OrgBrand = "victimcorp"; // CUSTOMIZE: replace with your organization's brand token(s)
let HelpdeskKeywords = dynamic([
  "helpdesk", "help-desk", "servicedesk", "service-desk", "itsupport", "it-support",
  "sso", "okta", "duo", "mfa", "authenticator", "verify", "identity", "reset-password", "password-reset"
]);
DnsEvents
| where TimeGenerated > ago(24h)
| where ResultCode == 0
| where Name has OrgBrand and Name has_any (HelpdeskKeywords)
| extend SuspicionReason = "BrandPlusHelpdeskKeywordDomain"
| project TimeGenerated, Computer, ClientIP, QueryName=Name, ResolvedIPs=IPAddresses, SuspicionReason
| union (
    // Pillar 2: First-ever resolution in the environment for a domain matching the brand+keyword pattern (no history in prior 30 days)
    DnsEvents
    | where TimeGenerated > ago(24h)
    | where Name has OrgBrand and Name has_any (HelpdeskKeywords)
    | join kind=leftanti (
        DnsEvents
        | where TimeGenerated between (ago(30d) .. ago(24h))
        | distinct Name
      ) on Name
    | extend SuspicionReason = "FirstEverResolutionOfBrandLookalike", ClientIP = ClientIP, ResolvedIPs = IPAddresses
    | project TimeGenerated, Computer, ClientIP, QueryName=Name, ResolvedIPs, SuspicionReason
)
| sort by TimeGenerated desc

Two-pillar DNS-based detection for helpdesk/SSO impersonation domains registered to support a vishing campaign. Pillar 1 flags any DNS query for a domain containing both the organization's brand token and a helpdesk/SSO/MFA-themed keyword. Pillar 2 narrows to domains matching that same pattern with no resolution history in the prior 30 days within the environment — since a domain registered specifically for an imminent vishing call will, by definition, have zero prior organizational DNS history. Requires the OrgBrand variable to be customized per deployment.

high severity medium confidence

Data Sources

Network Traffic: DNS Resolution DNS Analytics connector

Required Tables

DnsEvents

False Positives

  • The organization's own legitimate IT helpdesk or SSO portal subdomains if they happen to combine the brand token with a helpdesk/SSO keyword (add these to a static allowlist)
  • Third-party vendor portals contracted for IT support or identity services that legitimately reference the org's brand in a co-branded subdomain
  • Security awareness/phishing-simulation platforms standing up brand-lookalike domains for authorized internal training campaigns
  • Newly onboarded SaaS identity tooling (e.g., a new Okta or Duo tenant subdomain) resolved for the first time during legitimate rollout

Sigma rule & cross-platform mapping

The detection logic for Impersonation Domains Acquired to Support Voice Phishing Helpdesk Social Engineering (THREAT-Infra-VishingHelpdeskDomains) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DNS Query to Brand-Plus-Helpdesk-Keyword Lookalike Domain

    Expected signal: Sysmon Event ID 22: DNS Query event with QueryName='victimcorp-helpdesk-verify.com'. The query will likely NXDOMAIN but the DNS attempt is logged regardless.

  2. Test 2First-Ever Resolution of SSO-Themed Lookalike Domain

    Expected signal: Sysmon Event ID 22: QueryName='victimcorp-sso-mfa-reset.net' with no prior resolution history for this exact name in the environment's DNS logs.

  3. Test 3Simulated Ticketing-System MFA Reset Correlated to a Risk Event

    Expected signal: A synthetic ticketing-audit JSON line simulating an MFAMethodAdded action for [email protected] — in a real environment this would be ingested into the SIEM's ServiceDeskAudit_CL-equivalent index.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Infra-VishingHelpdeskDomains — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections