Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Infra-VishingHelpdeskDomains.

Upgrade to Pro
THREAT-Infra-VishingHelpdeskDomains Splunk · SPL

Detect Impersonation Domains Acquired to Support Voice Phishing Helpdesk Social Engineering in Splunk

Ahead of a voice-phishing (vishing) campaign, actors such as Scattered Spider register a small cluster of domains that impersonate the target organization's IT helpdesk, SSO portal, or MFA self-service enrollment page (e.g., victimcorp-helpdesk[.]com, victimcorp-sso-verify[.]com, victimcorp-okta[.]net). These domains are stood up shortly before the actor calls or SMS-messages an employee — typically posing as IT support — and directs them to the lookalike page to 'verify their identity' or 're-enroll MFA,' harvesting credentials and a live MFA/push-approval in the process. Because the domain is freshly registered specifically for this operation, it has no browsing history in the target environment prior to the campaign, making the very first DNS query or HTTP request to it a high-value signal. Detection focuses on three pillars: (1) DNS/HTTP traffic to domains combining the organization's brand name with helpdesk/SSO/MFA-themed keywords, (2) first-time-ever resolution of such a domain within the environment (no prior 30-day history), and (3) close temporal correlation between a phone-based social-engineering contact recorded in the ticketing/telephony system and a subsequent authentication event or password/MFA reset for the same user.

MITRE ATT&CK

Tactic
Resource Development

SPL Detection Query

Splunk (SPL)
spl
| union
[
  search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | eval OrgBrand="victimcorp"
  | eval QueryLower=lower(QueryName)
  | where like(QueryLower, "%".OrgBrand."%")
  | where match(QueryLower, "(helpdesk|help-desk|servicedesk|service-desk|itsupport|it-support|sso|okta|duo|mfa|authenticator|verify|identity|reset-password|password-reset)")
  | eval SuspicionReason="BrandPlusHelpdeskKeywordDomain"
  | table _time, host, User, QueryName, QueryResults, SuspicionReason
]
[
  | tstats count where index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22 by QueryName, _time span=1d
  | eval OrgBrand="victimcorp"
  | eval QueryLower=lower(QueryName)
  | where like(QueryLower, "%".OrgBrand."%")
  | where match(QueryLower, "(helpdesk|sso|okta|duo|mfa|verify|identity|reset-password)")
  | stats min(_time) as FirstSeen by QueryName
  | where FirstSeen >= relative_time(now(), "-1d@d")
  | eval SuspicionReason="FirstEverResolutionOfBrandLookalike"
  | table FirstSeen, QueryName, SuspicionReason
]
| sort - _time
high severity medium confidence

Two-source detection combining Sysmon Event ID 22 (DNS Query) keyword matching for brand+helpdesk-themed lookalike domains with a first-seen analysis over a rolling window to isolate domains with no prior organizational resolution history. Requires Sysmon deployed with DNS query logging (Event ID 22) and sufficient log retention (30+ days) for the first-seen comparison to be meaningful. Customize the OrgBrand field per deployment.

Data Sources

Network Traffic: DNS ResolutionSysmon Event ID 22

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate internal helpdesk/SSO subdomains that combine the brand token with a matched keyword
  • Authorized phishing-simulation platforms registering brand-lookalike domains for training
  • Newly rolled out identity/IAM SaaS tenants resolved for the first time during legitimate onboarding
  • Third-party contracted IT support vendors using co-branded subdomains

Other platforms for THREAT-Infra-VishingHelpdeskDomains


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DNS Query to Brand-Plus-Helpdesk-Keyword Lookalike Domain

    Expected signal: Sysmon Event ID 22: DNS Query event with QueryName='victimcorp-helpdesk-verify.com'. The query will likely NXDOMAIN but the DNS attempt is logged regardless.

  2. Test 2First-Ever Resolution of SSO-Themed Lookalike Domain

    Expected signal: Sysmon Event ID 22: QueryName='victimcorp-sso-mfa-reset.net' with no prior resolution history for this exact name in the environment's DNS logs.

  3. Test 3Simulated Ticketing-System MFA Reset Correlated to a Risk Event

    Expected signal: A synthetic ticketing-audit JSON line simulating an MFAMethodAdded action for [email protected] — in a real environment this would be ingested into the SIEM's ServiceDeskAudit_CL-equivalent index.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Infra-VishingHelpdeskDomains — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections