What is Phishing?
Phishing Explained
Deepfake CEO Fraud: AI Voice Scams and Finance Risk
Vishing and Voice-Phishing Targeting Enterprise Credentials
Voice-phishing (“vishing”) has shifted from opportunistic phone scams into high-touch, enterprise-grade initial access that reliably compromises SSO credentials, MFA factors, and SaaS admin sessions, often with no software exploit required. Recent reporting from Google’s Threat Intelligence Group (GTIG) and Mandiant shows financially motivated crews using IT-impersonation phone calls plus victim-branded credential-harvesting sites to obtain SSO usernames/passwords and MFA codes, then pivoting into high-value cloud apps (e.g., identity providers, email, collaboration, CRM) for data theft and extortion. [1]
A major accelerant is the emergence of real-time, “call-operator friendly” phishing kits. Okta Threat Intelligence describes kits that let callers orchestrate what a target sees in the browser during the phone call, synchronizing the attacker’s spoken instructions with the victim’s MFA prompts. The kits are explicitly positioned to defeat MFA that is not phishing-resistant (e.g., push approvals, SMS/voice OTP, TOTP) by keeping the victim “in flow” and compliant. [2]
The last 12–18 months also show vishing blending with multi-channel pressure tactics. In Microsoft Teams-based vishing, attackers first “email-bomb” targets with spam, then pose as help desk via Teams calls, persuading victims to grant remote control or install remote assistance tools. [3] A separate, well-documented path uses OAuth/connected-app abuse. Vishing victims are guided to approve a malicious “connected app” (e.g., a tampered Data Loader-style app), granting API-level access to cloud data stores without exploiting the SaaS platform itself. [4]
From a defender’s perspective, the key lesson is that identity workflows are the attack surface—especially password resets, MFA enrollment changes, OAuth consent, and session/token persistence. Government guidance (e.g., the U.S. phishing-resistant authenticator playbook) explicitly calls out that many common MFA methods remain vulnerable to phishing, push-bombing, SIM swap, and adversary-in-the-middle interception. [5] This is why GTIG emphasizes moving toward phishing-resistant MFA (FIDO2 security keys or passkeys) for critical access paths. [6]
Incident timeline and what it tells us
The incidents below highlight the convergence of voice impersonation, real-time web phishing, and identity-system abuse. The common thread is that attackers succeed by controlling user decisions in real time—through urgency, authority, and synchronized prompts—then converting a single compromised identity into broad SaaS access.
Notable incidents and campaigns in the last 12–18 months
| Date (published / observed) | Incident / campaign | Primary social-engineering hook | Enterprise impact pattern | Sources |
|---|---|---|---|---|
| Sep 26, 2024 | Deepfake Zoom call impersonation targeting a U.S. Senator | Believable audio/video impersonation and authority pretext | Rising realism of deepfake-enabled impersonation | [10] |
| Jan 21, 2025 | Microsoft Teams vishing + email bombing | Spam flood creates panic; attacker poses as IT | Victim grants remote access | [11] |
| Jun 4, 2025 | GTIG: UNC6040 Salesforce vishing → data theft → extortion | IT impersonation; malicious connected app approval | Large-scale CRM data theft | [12] |
Anatomy of modern vishing and voice-phishing campaigns
Voice scripts and pretexts that consistently work
Attackers typically avoid asking directly for “your password.” Instead, they position the request as security-positive and procedural: “I can’t take your password—please enter it yourself on this portal.” [1]
Multi-channel coordination that amplifies urgency
A key evolution is combining voice with another channel to create “evidence” that something is wrong. A clear example is email bombing followed by Teams calls—the spam flood creates panic, then the attacker offers “help.” [1]
How vishing bypasses SSO and MFA
Real-time MFA relay and non-phishing-resistant MFA
Okta describes kits that synchronize the victim’s browser flow with the attacker’s live login attempts, allowing the caller to request specific actions at the exact moment the MFA challenge appears. [2]
Adversary-in-the-middle and session/token theft
OWASP notes that stealing a valid session cookie can enable hijacking for the lifetime of that session—effectively equating cookie theft with credential theft until expiry. [2]
Human factors and psychology exploited
- Authority and legitimacy: “IT,” “security,” “vendor support.”
- Urgency and cognitive overload: spam floods, short extortion deadlines.
- Loss aversion: account lockouts, breach fears.
- Reciprocity: attacker “helps” resolve a problem they created.
Recommended policies and technical controls
- Mandate phishing-resistant MFA for privileged roles.
- Lock down MFA enrollment changes.
- Restrict OAuth app consent.
- Implement verified call-back procedures.
Other Articles
Related publications from PhishingBox
What can a phishing attack cost my company?
The Cost of Phishing Attacks
Do you know how to identify potentially fraudulent emails?
Anti-Phishing Security Control Checklist