title: Spearphishing Voice (T1598.004)
id: df00tech-t1598-004
status: experimental
description: "Adversaries may use voice communications (phone calls, VoIP) to elicit sensitive information from targets. Known as voice phishing or 'vishing', adversaries pose as trusted entities—IT support, executive staff, financial institutions, or business partners—to convince victims to divulge credentials, MFA codes, or other sensitive data. Callback phishing is a variant where malicious emails direct victims to call an adversary-controlled phone number. Threat actors including LAPSUS$ and Scattered Spider have weaponized vishing to compromise help desk personnel into resetting privileged account credentials and bypassing MFA, enabling subsequent account takeover without any malware or exploit."
references:
  - https://attack.mitre.org/techniques/T1598/004/
  - https://df00tech.com/detections/T1598.004
author: df00tech
date: 2026/03/13
tags:
  - attack.t1598.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate help desk resets for users who forgot passwords and need MFA re-enrollment simultaneously — correlate with open service desk ticket for the account
  - "New employee onboarding: IT staff reset initial temporary password and assist with MFA enrollment in the same session"
  - Scheduled bulk account management operations during maintenance windows where multiple resets occur for role transitions or system migrations
  - "Automated provisioning workflows (Okta Workflows, Microsoft Lifecycle Workflows) where service principals perform password initialization followed by MFA policy enforcement"
level: high