{ "id": "5890a5d3-0c0a-4308-8575-6a49e7a9ca47", "created_at": "2026-04-06T00:18:19.382794Z", "updated_at": "2026-04-10T03:36:00.820987Z", "deleted_at": null, "sha1_hash": "606ec43dbf5f8c68ecaabaeb1bb6ab615c3350cb", "title": "Hello, Operator? A Technical Analysis of Vishing Threats", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72995, "plain_text": "Hello, Operator? A Technical Analysis of Vishing Threats\r\nBy Mandiant\r\nPublished: 2025-06-04 · Archived: 2026-04-02 11:25:59 UTC\r\nWritten by: Nick Guttilla\r\nIntroduction\r\nOrganizations are increasingly relying on diverse digital communication channels for essential business\r\noperations. The way employees interact with colleagues, access corporate resources, and especially, receive\r\ninformation technology (IT) support is often conducted through calls, chat platforms, and other remote\r\ntechnologies. While these various available methods enhance both efficiency and global accessibility, they also\r\nintroduce an expanded attack surface that can pose a significant risk if overlooked. Prevalence of in-person social\r\ninteractions has diminished and remote IT structures, such as an outsourced service desk, has normalized\r\nemployees' engagement with external or less familiar personnel. As a result, threat actors continue to use social\r\nengineering tactics.\r\nVishing in the Wild: A Tale of Two Actors\r\nSocial engineering is the psychological manipulation of people into performing unsolicited actions or divulging\r\nconfidential information. It is an effective strategy that preys on human emotions and built-in vulnerabilities like\r\ntrust and the desire to be helpful. Financially motivated threat actors have increasingly adopted voice-based social\r\nengineering, or \"vishing,\" as a primary vector for initial access, though their specific methods and end goals can\r\nvary significantly.\r\nTwo prominent examples illustrate the versatility of this threat. The cluster tracked as UNC3944 (which overlaps\r\nwith \"Scattered Spider\") has historically used vishing as a flexible entry point for a range of criminal enterprises.\r\nTheir operators frequently call corporate service desks, impersonating employees to have credentials and multi-factor authentication (MFA) methods reset. This access is then leveraged for broader attacks, including SIM\r\nswapping, ransomware deployment, and data theft extortion.\r\nMore recently, the financially motivated actor UNC6040 has demonstrated a different vishing playbook. Its\r\noperators also impersonate IT support, but with the specific goal of deceiving employees into navigating to\r\nSalesforce’s connected app page and authorizing a malicious, actor-controlled version of the Data Loader\r\napplication. This single action grants the actor the ability to perform large-scale data exfiltration from the victim's\r\nSalesforce environment, which is then used for subsequent extortion attempts. While both actors rely on vishing,\r\ntheir distinct objectives—UNC3944’s focus on account takeover for broad network access versus UNC6040’s\r\ntargeted theft of CRM data—highlight the diverse risks organizations face from this tactic.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats/\r\nPage 1 of 7\n\nBy reviewing the techniques, tactics, and procedures (TTPs) of actors like UNC3944 and UNC6040, organizations\r\ncan better assess their own internal policies and guidelines when it comes to employee identification and\r\nprotection of infrastructure and confidential data. Red teamers can also learn from their methodologies to better\r\nemulate real-world attacks and assist organizations in developing defense-in-depth strategies.\r\nMandiant has successfully used the following approaches to perform voice-based social engineering during Red\r\nTeam Assessments for clients of varying sizes. The described techniques have enabled Mandiant to mimic TTPs\r\nfrom sophisticated vishing actors like UNC3944 and UNC6040, resulting in administrative-level user\r\nimpersonation, corporate network perimeter breaches, and sensitive data access. Mandiant has additionally\r\nconvinced multiple service desks to reset credentials and alter several forms of MFA. These simulated incidents\r\nhave empowered organizations to proactively identify and resolve deficiencies that otherwise may have gone\r\nunnoticed and potentially exploited by a real threat actor.\r\nOpen-Source Intelligence Gathering (OSINT)\r\nEffective social engineering campaigns are built upon extensive reconnaissance. The amount of information an\r\nattacker can source about corporate culture, employees, policies, procedures, and technologies in use directly\r\nimpacts the maturity of a phishing scenario's development. A thorough search to provide a comprehensive\r\noverview of an organization from an outside perspective would include, but is not limited to, discovery of the\r\nfollowing items:\r\nNetwork ranges and IP address space\r\nTop-level domains and subdomains\r\nCloud service providers and email infrastructure\r\nInternet-accessible and internally used web applications\r\nCode repositories\r\nCorporate phone numbers and email address formats\r\nEmployee positions and titles\r\nPhysical office locations\r\nPublicly exposed internal documentation\r\nMuch of this information can often be found through publicly accessible resources. Company websites and\r\nmarketing materials often list corporate contact information, including numbers for main lines, specific\r\ndepartments, or even individual employees. Social media platforms provide another means of profiling an\r\norganization. Professional networking services can be utilized to scrape the full names of employees and recreate\r\ncorporate emails matching discovered naming conventions. Resumes shared on these platforms may also contain\r\nadditional contact information including phone numbers and personal email addresses. Attackers may attempt to\r\nelicit private information by sending messages to employees from disposable email accounts, aiming to retrieve\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats/\r\nPage 2 of 7\n\ndetails through direct interaction or from out-of-office auto-replies. Additionally, public forums, where employees\r\nmight seek troubleshooting assistance, can inadvertently reveal company-specific details. \r\nSearch engines, such as Google, DuckDuckGo, and Bing, provide advanced filtering capabilities to narrow results\r\nfrom targeted queries based on keywords, file types, and other parameters. Figure 1 includes an example of a\r\nsearch filter designed to uncover sensitive files for a given target that may be unknowingly exposed.\r\n“TARGET” filetype:pdf | filetype:doc | filetype:docx | filetype:xls |\r\nfiletype:xlsx | filetype:ppt | filetype:pptx intext:\"confidential\" |\r\nintext:\"internal use only\" | intext:\"not for public release\" |\r\nintext:\"restricted access\"\r\nFigure 1: Searching for documents with search filters\r\nAnonymity networks, like The Onion Router (TOR), can be used to access hidden services, obtain restricted\r\ncontent, and identify supplemental data such as leaked employee IDs, usernames, passwords, and personally\r\nidentifiable information (PII).  \r\nThe internet offers a vast array of resources, and a good amount of intelligence can be discovered without any\r\novert interaction with your target.\r\nLeveraging Automated Phone Services\r\nSome organizations make use of automated phone systems that have pre-recorded messages and interactive\r\nmenus. These systems can provide callers with business-related information, facilitate employee self-service, or\r\nroute calls to appropriate departments. If not found online, an attacker may attempt to obtain the phone number for\r\nan automated service by contacting an employee, often at a reception desk, claiming to have misplaced the\r\nnumber. Calling into these automated services allows an attacker to anonymously identify common issues faced\r\nby end users, names of internal applications, additional phone numbers for specific support teams, and,\r\noccasionally, alerts about company-wide technical issues. This type of information can be used to craft pretexts for\r\nsubsequent activity that involves impersonating IT support. \r\nDiscovering Employee Identification Processes\r\nActors engaged in voice-based social engineering ultimately aim to interact with a human operator. While some\r\nautomated systems provide a direct option to speak with a live agent, others can require some initial information\r\nto be provided, such as an employee ID. However, even in these cases, it is common for repeated incorrect entries\r\nto result in the transfer to a live agent anyway. Service desk agents handle a high volume of inbound calls ranging\r\nfrom internal employees needing a password reset to external customers experiencing problems with a public-facing application. They are generally given a scripted process for call handling including information they need\r\nto request from the caller for identification as well as where to escalate if they are unable to address the issue\r\ndirectly.\r\nDuring the reconnaissance phase in social engineering a service desk, an attacker may feign ignorance or push\r\nboundaries of information disclosure before a requirement for identification is enforced. It is also important for an\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats/\r\nPage 3 of 7\n\nattacker to take note of how service desk personnel react to incorrect or insufficient information being provided.\r\nFor example, an attacker may provide an employee ID with an incorrect associated name to observe the response,\r\npotentially eliciting the correct full name or determining the validity of the employee ID format. Attackers may\r\nalso call at different times to converse with varying staff members, use different voice modulations to conceal\r\nrepeated reconnaissance attempts, and iteratively learn more about the service desk's identification process each\r\ntime.\r\nAlternatively, once a service desk number has been identified, an attacker can better target standard employees\r\ndirectly. Using publicly available resources, attackers can spoof the inbound number of a phone call to match that\r\nof the legitimate service desk. Without a procedure for verifying inbound callers claiming to be from IT,\r\nunsuspecting targets may be convinced by threat actors to perform actions that grant account access or divulge\r\ninformation that can be used to better impersonate staff.\r\nCrafting a Convincing Narrative\r\nWith sufficient reconnaissance data, an attacker can formulate targeted campaigns reflecting plausible employee\r\nscenarios. A common pretext for contacting a service desk is a forgotten password. Many organizations verify\r\nemployees using multiple factors. While initial reconnaissance might provide an attacker with answers for\r\nknowledge-based authentication methods, challenges arise if device-based verification is required. An attacker\r\nmight impersonate an employee who claims their phone is unavailable (e.g., damaged or lost during travel) and\r\nwho needs urgent account access. Another common practice is for actors to impersonate employees identified as\r\nbeing on personal time off (PTO) via out-of-office replies, leveraging a sense of urgency to persuade service desk\r\npersonnel. Responses to such situations can vary, especially for executive-level users. In the event of a successful\r\nMFA reset, the attacker can then call back and try to get a different agent on the phone to further reset the\r\nimpersonated user's password for a full account compromise. If the legitimate employee is genuinely unavailable,\r\nunauthorized account access can persist for an extended period of time.\r\nThe Evolution of an Exploit \r\nThe compromise of a single account can serve as a foundation for more complex social engineering campaigns.\r\nBreaching the perimeter of an organization often grants an attacker access to internal workflows, chats,\r\ndocuments, meeting invites, and ways to better uncover verified intelligence on existing employees. Open-source\r\ntools such as ROADrecon can extract details from entire Entra ID tenants, potentially revealing phone numbers,\r\nemployee IDs, and organizational hierarchy. Attackers may also seek access to IT ticketing systems and support\r\nchannels to impersonate service desk staff to end-users who have open requests. The more information an attacker\r\npossesses, the more believable their pretext becomes, increasing the probability of success.\r\nStrategic Recommendations and Best Practices\r\nModern features in mobile technology, such as AI-powered Scam Detection on Android, demonstrate how\r\nsoftware may be able to offer personal protection, but a comprehensive defense for organizations against vishing\r\nand related social engineering threats requires broad, proactive security initiatives and a defense-in-depth strategy.\r\nMandiant recommends organizations consider the following best practices to reinforce their external perimeter\r\nand develop secure communication channels, particularly those involving IT support and employee verification.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats/\r\nPage 4 of 7\n\nPositive Identity Verification for Service Desk Interactions\r\nTrain service desk personnel to rigorously perform positive identity verification for all employees before\r\nmodifying accounts or providing security-sensitive information (including during initial enrollment). This\r\nis critical for any privileged accounts.\r\nMandated verification methods should include options such as:\r\nOn-camera/video conference verification where the employee presents a corporate badge or\r\ngovernment-issued ID\r\nUtilization of an internal, up-to-date employee photo database\r\nChallenge/response questions based on information not easily discoverable externally (avoiding\r\nreliance on publicly available PII like date of birth or the last four digits of a Social Security\r\nnumber, as actors often possess this data)\r\nFor high-risk changes, such as MFA resets or password changes for privileged accounts, implement out-of-band verification (e.g., a call-back to a registered phone number or confirmation via a known corporate\r\nemail address of the employee or their manager).\r\nDuring periods of heightened threat or suspected compromise, consider temporarily disabling self-service\r\npassword or MFA reset methods and routing all such requests through a manual service desk workflow\r\nwith enhanced scrutiny.\r\nEnforce Strong, Phishing-Resistant MFA\r\nMFA should be enforced on all sensitive and internet-facing portals to prevent unauthorized access even in\r\nthe event of a password compromise. \r\nStandardize one primary MFA solution, for most employees, to simplify security architecture and centralize\r\na platform for detections and alerts.\r\nRemove weak forms of MFA, such as SMS, voice calls, or simple email links, as primary authentication\r\nfactors. These are susceptible to vishing, SIM swapping, and other attacks.\r\nPrioritize phishing-resistant MFA methods:\r\nFIDO2-compliant security keys (hardware tokens), especially for administrative and privileged\r\nusers\r\nAuthenticator applications providing number matching or robust geo-verification features\r\nSoft-tokens that are not reliant on easily intercepted channels\r\nEnsure administrative users cannot register or use legacy/weak MFA methods, even if those are permitted\r\nfor other user tiers.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats/\r\nPage 5 of 7\n\nSecure MFA Registration and Modification Processes\r\nDo not permit employees to self-register new MFA devices without stringent controls. Implement an IT-managed or otherwise secure enrollment process.\r\nRestrict MFA registration and modification actions to only be permissible from trusted IP locations and/or\r\ncompliant corporate devices.\r\nAlert on and investigate suspicious MFA registration activities, such as the same MFA method or phone\r\nnumber being registered across multiple user accounts.\r\nManager Involvement and Segregation of Duties\r\nService desks should notify managers (via verified contact channels sourced from internal directories) upon\r\nan employee's password reset, especially for sensitive accounts.\r\nRequire manager approval, through a verified channel, for all MFA resets. This creates third-party\r\nawareness and an additional record.\r\nFor larger organizations, consider segregating service desk responsibilities. Customer-facing support desks\r\nshould generally not have permissions to modify internal corporate employee accounts.\r\nEmployee Training and Vishing Awareness\r\nConduct regular phishing simulation exercises that include vishing scenarios to educate employees about\r\nthe specific risks of voice-based social engineering.\r\nTrain employees to always verify unexpected calls or requests for sensitive information, especially those\r\nclaiming to be from IT support or other internal departments, by using an official internal directory to\r\ninitiate a call-back or by contacting their manager.\r\nTrain employees to recognize common vishing pretexts (e.g., urgent requests to avoid negative\r\nconsequences, claims of system issues requiring immediate action, unexpected MFA prompts).\r\nEquip service desk employees with access to logs of previous calls and tickets to help identify abnormal\r\npatterns, such as repeated calls from unrecognized numbers or sequential MFA reset and password reset\r\nrequests for the same user.\r\nSecurity Monitoring and Alerting for Vishing-Related Activity\r\nUtilize security information and event management (SIEM) and security orchestration, automation, and\r\nresponse (SOAR) technologies to monitor employee sign-in activity and service desk interactions.\r\nCreate specific alerts for the following:\r\nPassword reset activity, particularly for privileged accounts or outside of expected patterns\r\nNew MFA device enrollment or modification of existing MFA methods\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats/\r\nPage 6 of 7\n\nMultiple failed login attempts followed by a successful password or MFA reset\r\nMFA fatigue attacks (multiple sequential incomplete authentications)\r\nAll activities flagged as abnormal should be reviewed by an internal security team and investigated with\r\nthe impacted employee and their manager.\r\nFurther guidance on hardening against UNC3944-style threats, including broader identity, endpoint, and network\r\ninfrastructure recommendations, is detailed by the Google Threat Intelligence Group (GTIG).\r\nConclusion\r\nThis discussion of voice-based social engineering and its proposed resolutions aims to provide insight into attack\r\nmethodologies and preventative measures relevant to this threat vector. Organizations seeking direct support on\r\nthis subject or other services related to attack simulation and red team exercises are encouraged to contact\r\nMandiant for assistance. Mandiant can discuss specific needs in detail and explore tailored recommendations to\r\nbetter equip security postures against advanced and persistent threats.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats/" ], "report_names": [ "technical-analysis-vishing-threats" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "70929bd1-2bf9-4689-bfff-2bc6b113d3ed", "created_at": "2026-01-20T02:00:03.666874Z", "updated_at": "2026-04-10T02:00:03.916254Z", "deleted_at": null, "main_name": "UNC6040", "aliases": [], "source_name": "MISPGALAXY:UNC6040", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434699, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/606ec43dbf5f8c68ecaabaeb1bb6ab615c3350cb.pdf", "text": "https://archive.orkl.eu/606ec43dbf5f8c68ecaabaeb1bb6ab615c3350cb.txt", "img": "https://archive.orkl.eu/606ec43dbf5f8c68ecaabaeb1bb6ab615c3350cb.jpg" } }