SE-VISHINGInitial Access

Vishing (Voice Phishing)

Phone call pretending to be IT / vendor / executive — most often used to reset MFA / passwords or extract sensitive info.

§ Where this technique fits

SE-VISHING is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 2.5 on average.

§ Dossiers chaining this technique

Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)
Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.
step 2 / 7
Vishing → helpdesk MFA reset → account takeover
Pose as a panicked employee locked out before a meeting. Helpdesk resets MFA based on partial PII (employee ID + date of birth from LinkedIn). Attacker registers their own factor.
step 3 / 6

§ What commonly comes next

01
Helpdesk Social Engineering — MFA / Password Reset
SE-HELPDESK-RESET · Credential Access
seen 1×
02
Identity-Provider Helpdesk SE (Scattered Spider)
APT-OKTA-SE · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)

Vishing → helpdesk MFA reset → account takeover

§ What commonly comes next