In February 2026, the New York Department of Financial Services issued a formal advisory to the CISOs of every regulated entity in the state, warning of an active campaign in which attackers spoof caller IDs, impersonate IT help-desk staff, and direct employees to malicious links over the phone. Two months earlier, CrowdStrike’s 2025 Global Threat Report documented a “442% increase in vishing attacks between the first and second halves of 2024.” A state regulator and the largest endpoint telemetry vendor in the market are describing the same threat at the same time.
For a security leader who has already paid for email security, MFA, and a year of awareness training, that combination is uncomfortable. The phone is the one channel almost no one is monitoring. CTDefense is publishing this brief because the buyer-side question has moved from “should we worry about voice-channel attacks” to “what does our security operations centre actually need to do about them.”
What vishing looks like as an enterprise attack
Modern vishing is not a single phone call. It is a multi-stage operation that uses the call as an authentication bypass and then pivots into a familiar identity-abuse playbook. The pattern that CTDefense sees in practice mirrors what Sophos describes in its Active Adversary Report 2026: a help-desk impersonation, a credential or MFA prompt handed over by the employee, and a logon from an unfamiliar location within minutes.
A representative sequence:
- Reconnaissance. The attacker scrapes LinkedIn for the name of an internal IT-support analyst and the names of a few non-technical employees in finance or HR. Caller-ID spoofing services do the rest.
- The call. The employee answers what looks like an internal extension. The “analyst” walks them through a fake password reset, a “security verification” portal, or an MFA push approval. The script is calm and procedural.
- Credential or token capture. The employee enters credentials on a lookalike portal, or approves an MFA push that is in fact the attacker’s logon attempt. In the AiTM variant, the session token is captured directly.
- Persistence and pivot. Within an hour, the attacker is logged into Microsoft 365 or Okta from a residential VPN, registering a new MFA device, creating mailbox rules, and looking for finance-system access.
- Payload. Sophos found that “88% of ransomware payloads were deployed outside business hours.” The vishing call typically happens late afternoon. The encryption happens overnight.
This is not a user-awareness story. It is a detection story. Awareness training reduces the rate at which employees fall for the call, but it does not detect the ones who do, and it does not detect the post-call activity. That is the gap CTDefense’s clients are asking the team to close.
What the SOC can actually see after the call
The phone call itself is invisible to the security stack. What is not invisible is the wake the attacker leaves behind once they try to use what they took. A SOC with the right telemetry sees a recognisable pattern within minutes of a successful vishing compromise.
The team focuses on six signals:
- MFA push anomalies. A push approved at an unusual hour, from an unusual device, or after a string of denied prompts (“MFA fatigue”). Verizon’s 2025 Data Breach Investigations Report notes that credential abuse remains the leading initial attack vector at 22% of breaches; almost all of it is downstream of either phishing or vishing.
- Impossible travel and new-country logons. A successful sign-in from a geography the user has never authenticated from, particularly when paired with an MFA registration from the same session.
- MFA device registration immediately after sign-in. The attacker’s first persistence step is almost always to enrol a new authenticator. A registration event within minutes of a successful logon, especially from a new device, is a high-fidelity indicator.
- Help-desk ticket spikes and password-reset clusters. When several employees in the same department call IT about “the strange call earlier,” it is already an incident. A SOC integrated with the ticketing system can detect this pattern before the security team is paged.
- Mailbox rule changes. Inbox rules that auto-forward, auto-delete, or move messages with words like “invoice”, “wire”, or “payroll” to obscure folders. This is the classic post-compromise step before a fraudulent payment instruction.
- Out-of-hours administrative activity. Sophos’s finding that 88% of ransomware payloads land outside business hours is consistent with what the team observes in identity incidents: privilege escalation and lateral movement happen overnight, when the on-call response is thinnest.
None of these signals require new tooling on top of a properly instrumented Microsoft 365, Okta, or Google Workspace tenant, plus the identity provider’s sign-in logs and a connected EDR. What they require is correlation, tuning, and 24/7 eyes. That is what an MDR service is for.
The first thirty minutes of response
When a vishing compromise is suspected, the response window is short. CrowdStrike’s data on eCrime breakout times — the time between initial access and lateral movement — has dropped to under an hour for the fastest groups. A delayed response is, in practice, no response.
CTDefense works to a thirty-minute containment target for confirmed identity compromise. The actions that matter most in that window:
- Force a session revocation across the identity provider. Killing active tokens stops the attacker mid-session, even if the password has not yet been reset.
- Disable the affected account and any newly registered MFA devices. The new authenticator is the persistence mechanism; removing it before the password reset prevents the attacker from re-enrolling on the recovered account.
- Audit and roll back inbox rules, OAuth grants, and admin role assignments made in the last 24 hours. The team has seen attackers create “TestRule” forwarding rules and grant themselves Application Administrator before the password is even rotated.
- Pull the on-net activity for the user and any host they touched. The EDR side of the investigation answers whether anything was downloaded or executed locally, which determines whether the incident stays as identity-only or expands to endpoint.
- Notify the help desk and adjacent users. If one employee was targeted, the campaign almost always touches several. Proactive outreach to the same team often surfaces a second or third call that did not initially get reported.
Verizon’s DBIR puts ransomware in 44% of breaches. The vast majority of those ransomware events begin with credential or session-token compromise. The thirty minutes after a vishing call is where ransomware is either prevented or guaranteed.
What to ask your current MDR provider
Most MDR contracts were written when “managed detection and response” meant endpoint. The threat surface has moved. Before the next renewal, CTDefense suggests asking five direct questions:
- Are identity-provider sign-in logs ingested as a primary telemetry source, on equal footing with EDR? Not as an afterthought via a generic SIEM connector — natively, with detection content tuned to it.
- What is the analyst response time on an MFA-fatigue or impossible-travel alert at 02:00 local time? Ask for the median, not the SLA.
- Does the playbook include session revocation and MFA-device deregistration, or does it stop at “notify the customer”? A response that ends with an email to the on-call CISO is not response.
- Is the help-desk ticketing system a monitored data source? A spike in “strange call” tickets is one of the earliest vishing indicators and most providers ignore it entirely.
- How is detection content updated when a new advisory like the DFS letter or a new CrowdStrike report drops? A real provider has a content-engineering process; a thin one waits for the customer to forward the link.
The answers separate providers that have adapted to the identity-first threat landscape from providers still selling endpoint telemetry under a new label.
Where this leaves you
Awareness training is necessary. It is not sufficient. The DFS advisory and the CrowdStrike data both point at the same conclusion: vishing is now part of the standard intrusion kit, the call itself sits outside the security stack, and the only durable answer is a SOC that can recognise the post-call pattern and act on it inside thirty minutes.
CTDefense supports financial services, healthcare, and technology organisations across Europe and North America with managed detection and response built around identity and cloud telemetry as first-class data, not endpoint with extras bolted on. Organisations that have already invested in MFA and email security and still feel exposed to voice-channel attacks are encouraged to review their MDR scope against the questions above. The threat moved. The coverage should move with it.