What is Vishing and How is it Being Deployed in the Wild?
What is Vishing and How is it Being Deployed in the Wild?
Cybercriminals are constantly evolving their tactics, and voice phishing – or “vishing” – is the latest technique making waves.
While phishing emails are familiar territory for most, attackers are now taking things a step further by picking up the phone. Armed with insider knowledge from social engineering (searching your Facebook, LinkedIn, etc. accounts) and convincing stories, they’re targeting employees directly – bypassing filters, exploiting human trust, and triggering major security incidents.
Let’s break down what vishing is, how it’s used in combination with other attack vectors, and go through a real-world example that shows just how dangerous this technique has become.
Introducing the Latest Cyber-criminal Exploit – Vishing
Vishing, short for voice phishing, is a social engineering attack that relies on phone calls – often disguised to look like they come from trusted sources. These calls are designed to trick victims into divulging sensitive information, granting access, or taking action that benefits the attacker.
Unlike email phishing, vishing creates a false sense of urgency and legitimacy through real-time interaction. Attackers may impersonate tech support, HR, Finance or even executives – making the victim feel pressured and caught off guard.
Common characteristics of vishing attacks include:
- Spoofed caller IDs or use of VoIP tools to mask origin
- Urgent, emotionally charged language (e.g., “Your account has been compromised!”)
- Requests for sensitive data such as login credentials, financial info, or one-time passcodes
- Voice deepfakes or scripts designed to sound authoritative
The real danger? These aren’t always one-off calls. Vishing is increasingly part of multi-stage attacks that combine several methods for maximum impact. Other components of these sophisticated attacks could include:
- Phishing and email bombing: Attackers flood inboxes to overwhelm users, then follow up with a phone call pretending to be IT support helping to “resolve the issue.”
- Malware or ransomware: Victims are tricked into installing malware or handing over credentials that allow access to internal systems.
- Smishing (SMS phishing): A text message may precede the call, warming up the target and making the voice interaction more believable.
- Microsoft Teams impersonation or other internal tool mimicry: Attackers pretend to be from inside the organization, creating a false sense of security.
When combined, these methods create layered attacks that feel real, urgent, and incredibly difficult for employees to detect – especially without training or tools in place.
Vishing in the Wild – A Recent Attack Deconstructed
In late 2024, Sophos’ cybersecurity teams uncovered a new threat cluster, STAC5143 directed at one of their clients. It was deployed using Microsoft Office 365 tools to orchestrate a sophisticated ransomware attack. Here’s how the operation unfolded – from entry to post-exploitation.
Initial Access: Overload, Distract, Social Engineer
The attack started with an email bombing campaign, flooding an employee’s inbox with over 3,000 spam emails in under an hour. This was a distraction tactic, designed to overwhelm and create urgency.
Shortly after, the employee received a Teams call from a fake ‘Help Desk Manager’ – leveraging a Microsoft Teams misconfiguration that allows external users to initiate calls. Believing it to be legitimate IT support (especially since the company used a third-party MSP), the employee granted remote access via Teams screen sharing.
First Steps: Explore, Establish
Once the attackers gained initial access to the protected systems, they immediately began establishing a persistent presence and exploring the environment.
Their first steps involved opening a command interface to download a malicious Java archive from an external source. This downloaded file was then executed using a legitimate Java program to blend in with normal system activity and evade detection. The malicious Java program then proceeded to unpack further harmful tools, specifically Python-based backdoors, from a compressed file.
To prepare for subsequent actions, the system’s text encoding was changed to UTF-8, likely to enable the use of encoded PowerShell commands designed to bypass security measures. Finally, PowerShell was used to retrieve additional components, including a compressed archive, a legitimate VPN application (ProtonVPN), and a malicious dynamic link library file named “nethost.dll.”
Persistence: Maintain, Prepare
The attackers then focused on maintaining control and understanding their surroundings. They employed a technique called “side-loading” by running the legitimate ProtonVPN application in a way that simultaneously loaded the malicious “nethost.dll.” This established secret communication channels (command and control or C2) through the VPN connection, using infrastructure located in Russia, the Netherlands, and the U.S., as well as VPN services to obscure their origin and bypass geographical restrictions.
Simultaneously, the attackers used built-in system tools to gather information about the compromised user, their access rights within the network, and to identify other accessible computers and network resources. This reconnaissance phase allowed them to map out the environment and plan further malicious activities.
At this stage the attack was detected and halted.
Key Takeaways
- Abusing Microsoft Teams and SharePoint: STAC5143 exploited the default trust settings in Microsoft 365 to gain entry and deliver payloads.
- Multi-language Payloads: Combining Java, Python, and PowerShell made detection harder and allowed attackers greater flexibility.
- Living off the Land: The attackers used native Windows tools (cmd, net, PowerShell) to minimize their footprint and evade detection.
- Side-loading for Persistence: By hijacking ProtonVPN’s DLL loading mechanism, they embedded stealthy long-term access.
Taming Vishing: Improving Your Defenses
In light of persistent threats like the example in this article, what are the steps that you can take to keep your data secure?
Server + Endpoint Management
Managing server and endpoint security internally presents significant challenges for most organizations. The increasing complexity of IT environments, coupled with the expanding attack surface due to remote work and diverse device ecosystems, often leads to reactive security postures.
Maintaining comprehensive visibility across all endpoints becomes arduous, creating opportunities for threat actors to operate undetected, as we have seen. Furthermore, protracted incident response times can exacerbate the impact of security breaches, allowing malicious activities to escalate before effective countermeasures are implemented. The operational efficiency of security teams can also be hampered by ageing or unpatched infrastructure, leading to delays in critical response efforts, a vulnerability that threat actors actively seek to exploit.
Server and Endpoint Management solutions like those from Sophos offer a strategic alternative by providing continuous, proactive security and operational benefits. They deliver comprehensive oversight through 24/7 monitoring and management, automated patch management and advanced AI enabled threat detection. Beyond that, remote monitoring and control capabilities enable swift incident response, facilitating immediate action to neutralize threats without requiring on-site intervention.
By automating routine security tasks and providing enhanced visibility and responsiveness, these solutions empower IT teams to focus on strategic initiatives, optimize system performance, and strengthen overall organizational resilience against evolving cyber threats.
Phishing Simulations
Cybercriminals are blending phishing with vishing in highly coordinated attacks. Your people need to recognize the red flags in every communication channel – not just email.
Training employees to handle email threats doesn’t just prevent clicks – it conditions them to think critically and verify suspicious behavior, whether it shows up in their inbox or over the phone.
An ideal starting point is to run industry specific phishing simulations. These offer several key benefits and enable your organizations to baseline employee knowledge and the type of actions they are like to take or not take when presented with a threat.
Simulations run using tools from Sophos – as offered by Prodatix – have an additional benefit in that they can tap into their ever-increasing library of exploits to ensure the simulations are realistic and mimic the latest threats.
Phishing Training
Following the simulation, an ideal next step is phishing and vishing education. This should be designed to arm your team with the tools they need to be able to detect and react to attacks through specific training modules built around real tactics used by attackers today.
They should be able to be customized to align with your industry, team roles, and compliance needs, and allow your team’s progress to be measured over time. Ongoing reinforcement can then be provided to keep security top-of-mind and reduce training fatigue.
The implementation of phishing simulations and training can contribute to meeting regulatory and cyber insurance requirements.
Conclusion
Protecting your business from vishing starts with employee awareness and training, followed by deploying preventative tools that are capable of eliminating vishing threats before it’s too late.
At Prodatix we have partnered with Sophos to offer their industry standard data security tools. By working with us, you will empower your team with the solutions they need to ward phishing attacks, including server/endpoint management solutions, as well as phishing simulations and training.
Ready to protect your company from vishing? Get started today by registering for a free consultation.
