Mandiant Says Voice Phishing Is Replacing Email Phishing as Attackers Target SaaS Identities

By Ash K
Mandiant Says Voice Phishing Is Replacing Email Phishing as Attackers Target SaaS Identities

Voice phishing is rapidly overtaking traditional email phishing as one of the most effective initial access techniques used by attackers, according to Mandiant's newly released M-Trends 2026 report.

The report found that while exploits remained the top initial infection vector for the sixth consecutive year at 32%, highly interactive voice phishing surged to 11%, making it the second-most commonly observed initial infection vector in 2025. By contrast, traditional email phishing dropped to just 6% of intrusions, reflecting a broader shift in attacker tradecraft as automated email defenses continue to improve.

The change is significant because it suggests attackers are moving away from low-interaction phishing emails and toward real-time human manipulation, especially in environments where users are protected by email filtering, multifactor authentication, and modern endpoint controls. Instead of trying to beat security technology head-on, attackers are increasingly targeting people directly.

Mandiant said this trend is especially visible in software-as-a-service environments, where threat actors are using voice-based social engineering to trick help desks, bypass MFA protections, and obtain access to long-lived credentials such as OAuth tokens and session cookies. Once inside, attackers can pivot into downstream customer environments and carry out large-scale data theft with minimal friction.

Phone-based social engineering and identity compromise concept
Attackers are increasingly favoring real-time voice-based social engineering over traditional phishing emails.

The numbers in the report point to a broader realignment in how attackers gain access. Mandiant said global median dwell time increased to 14 days from 11 days, and organizations internally detected malicious activity in 52% of investigations, up from 43% in 2024. But while defenders are improving visibility, attackers are compensating by leaning into identity-centric intrusion paths that rely on persuasion rather than payload delivery.

The report specifically highlights how groups such as UNC3944 have targeted IT help desks as part of SaaS-focused intrusion activity. Rather than relying on malicious attachments or spoofed login pages alone, these actors engage directly with personnel, exploit trust-based workflows, and manipulate support processes to gain access to accounts and services that sit behind conventional security controls.

That shift matters because voice phishing is often harder to detect and harder to automate defenses against. Email phishing can be filtered, sandboxed, rewritten, or blocked at the gateway. A phone call to a help desk, by contrast, can exploit human urgency, authority, and familiarity in ways that traditional technical controls are not designed to stop.

Mandiant’s findings suggest this is not just a tactical variation of phishing, but part of a wider attacker pivot into identity abuse. The report says threat actors are bypassing standard defenses by harvesting long-lived authentication material, compromising third-party SaaS vendors, and stealing hard-coded keys and personal access tokens that can be used to access downstream environments.

The implication for defenders is that inbox security alone is no longer enough. Even as email phishing declines, the broader phishing problem is evolving into something more interactive, more targeted, and more deeply tied to identity infrastructure.

The report also places the trend within a larger pattern of attacker specialization. Mandiant found that the median time between initial access and handoff to a secondary threat group collapsed from more than 8 hours in 2022 to just 22 seconds in 2025, meaning access obtained through social engineering can be weaponized almost immediately.

For organizations, the message is clear: phishing is not disappearing. It is becoming more human, more identity-focused, and more difficult to stop with legacy controls alone.

Mandiant recommends that organizations respond by shifting to continuous identity verification, enforcing strict least privilege, regularly auditing SaaS integrations, and routing SaaS applications through a central identity provider. The company also warns that because interactive social engineering can bypass traditional MFA, defenders should move beyond static indicators and adopt behavior-based detection models that can identify anomalous access to SaaS environments, suspicious use of integration tokens, and unusual bulk API activity.

The broader lesson from M-Trends 2026 is that the classic phishing email is no longer the only, or even the primary, social engineering threat it once was. Attackers are increasingly choosing the path that works best against modern defenses, and right now that path appears to be a human voice on the other end of a phone call.

Reference Links and Sources

  • M-Trends 2026 report image reference
  • Mandiant / Google Cloud: M-Trends 2026: Data, Insights, and Strategies From the Frontlines
  • Mandiant reporting on UNC3944 and help desk-driven SaaS intrusions
Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.