TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions

BHIS · 2026-01-28 · Read original ↗

ATT&CK techniques detected

10 predictions
T1556.006Multi-Factor Authentication
84%
“ruse. the ruse is designed to keep the target feeling in control at all times. they are not providing you with confidential information and still have control over their workstation and mobile device. from their perspective, all they are doing is proving they can control their au…”
T1556.006Multi-Factor Authentication
63%
“##es help desk hardening. how the ruse works in practice below is a conceptual walkthrough that you can adapt into a roe - approved playbook. i ’ ve sorted this into a list of bullet points because i ’ m pretty sure that ’ s going to be easier reading than a giant wall of text. 1…”
T1621Multi-Factor Authentication Request Generation
60%
“push notification or phone call. - the attacker calls the user, claiming to be from the service desk / security team following up on a security issue. - the attacker coaches the user into approving the mfa prompts as part of a “ verification. ” - after the mfa is approved, the at…”
T1566.004Spearphishing Voice
52%
“importantly, users should always receive positive coaching if they are compromised on a social engineering test. negative options such as termination rarely work out well for anyone in the long - term, as the replacement might fall into the same trap later. the goal here should a…”
T1556.006Multi-Factor Authentication
47%
“push notification or phone call. - the attacker calls the user, claiming to be from the service desk / security team following up on a security issue. - the attacker coaches the user into approving the mfa prompts as part of a “ verification. ” - after the mfa is approved, the at…”
T1598.004Spearphishing Voice
44%
“importantly, users should always receive positive coaching if they are compromised on a social engineering test. negative options such as termination rarely work out well for anyone in the long - term, as the replacement might fall into the same trap later. the goal here should a…”
T1598.004Spearphishing Voice
42%
“push notification or phone call. - the attacker calls the user, claiming to be from the service desk / security team following up on a security issue. - the attacker coaches the user into approving the mfa prompts as part of a “ verification. ” - after the mfa is approved, the at…”
T1621Multi-Factor Authentication Request Generation
42%
“? “, and then used the moment of humor to pivot into a need to do a quick security check. sspr was then used to generate two - digit numbers to be entered into microsoft authenticator. the tester gave these numbers to the employees, who entered them into their phone. after gainin…”
T1621Multi-Factor Authentication Request Generation
42%
“ruse. the ruse is designed to keep the target feeling in control at all times. they are not providing you with confidential information and still have control over their workstation and mobile device. from their perspective, all they are doing is proving they can control their au…”
T1111Multi-Factor Authentication Interception
31%
“? “, and then used the moment of humor to pivot into a need to do a quick security check. sspr was then used to generate two - digit numbers to be entered into microsoft authenticator. the tester gave these numbers to the employees, who entered them into their phone. after gainin…”

Summary

Social Engineering and Microsoft SSPR

This scenario simultaneously tests identity confirmation tooling (SSPR, MFA, Conditional Access), how users act under pressure, and the organization's ability to detect and follow-up on social engineering attacks.

The post Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions  appeared first on Black Hills Information Security, Inc..