TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Cisco Talos Intelligence

Insights into the clustering and reuse of phone numbers in scam emails

Omid Mirzaei · 2 hours ago · Read original ↗

ATT&CK techniques detected

9 predictions
T1557.001Name Resolution Poisoning and SMB Relay
59%
“sharing these insights, talos aimsto strengthen our collective defensive posture against these evolving threats. the structure of voip phone numbers most voip numbers follow the e. 164 international public telecommunication numbering plan. this format ensures that every number is…”
T1598Phishing for Information
58%
“attackers simply rotate to the next number in the block. the figure below shows how a block of numbers — differing only in the last four digits — is used in various scam emails impersonating paypal between march 3 and march 6, 2026. it is also clear that certain numbers are used …”
T1557.001Name Resolution Poisoning and SMB Relay
45%
“using clustering techniques to connect disparate campaigns and strengthen overall defensive postures. telephone - oriented attack delivery ( toad ) continues to be a prevalent tactic in modern email threats. by shifting the communication channel from email to a real - time conver…”
T1566.004Spearphishing Voice
38%
“and persistent victim engagement. finally, reuse minimizes operational costs, particularly for paid voip services. while we observed some phone numbers reused for up to four consecutive days, the most common reuse period was two consecutive days. lifespan analysis and cool - down…”
T1598Phishing for Information
38%
“insights into the clustering and reuse of phone numbers in scam emails - cisco talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise ( ioc ). in this blog, we discuss new insights into in - the - …”
T1598Phishing for Information
38%
“phone numbers, security researchers can effectively map connections between seemingly unrelated campaigns, ultimately exposing the infrastructure of organized criminal call centers. service providers and security teams should prioritize the implementation of real - time reputatio…”
T1598Phishing for Information
36%
“provide insights into the lifecycle of phone numbers used in scam emails, examining how often they are reused, their typical lifespan, and how they appear across seemingly unrelated lures. our analysis focuses on scam campaigns impersonating popular brands, including paypal, geek…”
T1557.001Name Resolution Poisoning and SMB Relay
34%
“##rs and retailers. voip wholesalers ( e. g., virtue, twilio, and bandwidth ) operate in a business - to - business ( b2b ) capacity, sitting between tier 1 carriers ( e. g., at & t, verizon ) and smaller service providers, selling high volumes of numbers in bulk. conversely, voi…”
T1598.002Spearphishing Attachment
30%
“insights into the clustering and reuse of phone numbers in scam emails - cisco talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise ( ioc ). in this blog, we discuss new insights into in - the - …”

Summary

Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails.