UNC3753 Vishing and Physical Intrusion Campaign: Detection and Defense Strategies for U.S. Financial and Legal Services

Introduction

UNC3753, a financially motivated threat actor tracked by Google Mandiant and Google Threat Intelligence Group, has launched a sophisticated campaign targeting U.S. professional, legal, and financial services organizations between January and May 2026. What makes this campaign particularly alarming is its multi-vector approach combining vishing (voice phishing) with physical intrusions to steal sensitive data for extortion purposes.

This hybrid attack vector represents an evolution in threat actor tactics, moving beyond purely digital approaches to exploit the human and physical elements of security. Financial and legal services organizations are prime targets due to their valuable data holdings and regulatory requirements, which increase pressure to pay extortion demands.

As security practitioners, we must adapt our defense strategies to address these multi-faceted threats. This analysis provides actionable detection mechanisms and defensive strategies to counter UNC3753's campaign.

Technical Analysis

Attack Vector Overview

UNC3753's campaign leverages a two-pronged approach:

Vishing Operations: Attackers use targeted voice phishing calls impersonating legitimate entities (IT support, executives, vendors) to manipulate victims into divulging credentials, granting remote access, or performing actions that compromise security.
Physical Intrusions: The actor demonstrates the capability and willingness to physically infiltrate target facilities, likely through:
- Tailgating (following authorized personnel through secure entrances)
- Impersonation of maintenance personnel or third-party vendors
- Exploitation of physical security gaps in reception areas
- Badge cloning or bypass techniques

Targeted Sectors

Professional Services
Legal Services
Financial Services

Impact Assessment

Based on Mandiant and GTIG's findings, this campaign has led to:

Unauthorized access to sensitive documents and client data
Potential compromise of attorney-client privileged information in legal sector targets
Exposure of financial records and transactions in financial services organizations
Significant business disruption during incident response
Reputational damage and potential regulatory implications

Timeline

January 2026: Initial campaign activity detected
January-May 2026: Ongoing operations against multiple U.S. organizations
Current Status: Active threat requiring immediate defensive posture assessment

Detection & Response

SIGMA Rules

YAML

---
title: UNC3753 Suspicious Caller ID Pattern Activity
id: f8d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects suspicious calling patterns associated with UNC3753 vishing campaign, including caller ID spoofing and rapid sequential calling to multiple targets.
references:
  - https://attack.mitre.org/techniques/T1566/
author: Security Arsenal
date: 2026/06/10
tags:
  - attack.initial_access
  - attack.t1566.002
logsource:
 category: voip
 product: pbx
detection:
 selection:
   CallerID|startswith:
     - 'Unknown'
     - 'Private'
     - 'Restricted'
   CallDuration|between:
     - 30
     - 300
   CallStatus: 'Completed'
 condition: selection
timeframe: 24h
falsepositives:
  - Legitimate private calls from executives
  - Emergency services communications
level: medium
---
title: UNC3753 Physical Security Badge Anomalies
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects anomalies in physical access patterns that may indicate physical intrusion attempts consistent with UNC3753 tactics.
references:
  - https://attack.mitre.org/techniques/T1190/
author: Security Arsenal
date: 2026/06/10
tags:
  - attack.initial_access
  - attack.t1190
logsource:
 category: physical_access
 product: security
detection:
 selection:
   EventType: 'BadgeAccess'
   AccessResult: 'Failure'
   RepeatedFailureCount|gte: 3
   Location:
     - 'ServerRoom'
     - 'ExecutiveFloor'
     - 'RecordsDepartment'
 timeframe: 1h
 condition: selection
falsepositives:
  - Legitimate badge issues
  - Maintenance personnel with expired credentials
level: high
---
title: UNC3753 Suspicious External Media Connection
id: 9d2f8c71-a3e5-4b82-9a12-3f5b7e890678
status: experimental
description: Detects external media connections that may indicate physical data exfiltration during UNC3753 intrusion activities.
references:
  - https://attack.mitre.org/techniques/T1052/
author: Security Arsenal
date: 2026/06/10
tags:
  - attack.exfiltration
  - attack.t1052
logsource:
 category: device_connection
 product: windows
detection:
 selection:
   DeviceClass|contains:
     - 'USB'
     - 'PortableDevice'
   VolumeSize|between:
     - 1073741824  # 1GB
     - 137438953472  # 128GB
   IsEncrypted: 'False'
   IsRemovable: 'True'
 condition: selection
falsepositives:
  - Authorized data transfers
  - Personal device connections (BYOD)
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Detect vishing attack indicators - unusual call patterns from suspicious numbers
let suspicious_call_patterns = 
    CommunicationEvents 
    | where TimeGenerated between(datetime(2026-01-01) .. now())
    | where CommunicationType == "Voice" 
    | where Direction == "Inbound"
    | where isnotempty(CallerNumber)
    | extend caller_digits = extract_all("[0-9]", CallerNumber)
    | extend caller_length = array_length(caller_digits)
    | where caller_length != 10  // Non-standard US number format
    | summarize CallCount = count(), TargetCount = dcount(Recipient) by CallerNumber, bin(TimeGenerated, 1d)
    | where CallCount > 5 and TargetCount > 2
    | sort by CallCount desc;

// Detect physical access anomalies
let physical_access_anomalies = 
    PhysicalAccessEvents 
    | where TimeGenerated between(datetime(2026-01-01) .. now())
    | where EventType == "BadgeAccess" 
    | where AccessResult == "Failure"
    | summarize 
        FailedAttempts = count(), 
        UniqueDoors = dcount(DoorId), 
        StartTime = min(TimeGenerated), 
        EndTime = max(TimeGenerated)
        by UserId, BadgeId, bin(TimeGenerated, 1h)
    | where FailedAttempts >= 3 or UniqueDoors >= 2
    | extend Duration = EndTime - StartTime
    | where Duration < time(1h);

// Combine findings for UNC3753 detection
union suspicious_call_patterns, physical_access_anomalies
| project TimeGenerated, ActivityType = iff(isempty(CallerNumber), "Physical Anomaly", "Vishing Indicator"), 
          Details = pack_all()
| sort by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for external media connections that could indicate physical data exfiltration
SELECT * FROM foreach(
  SELECT OSPath FROM glob(globs="/*")
  WHERE OSPath =~ "\\.(?:usb|thumbdrive|external)\\.log"
)
(
  SELECT 
    timestamp(epoch=_Source.ts) AS EventTime,
    DeviceName,
    DeviceID,
    ActionType,
    SerialNumber,
    VendorID,
    ProductID,
    Capacity
  FROM parse_(data=read_file(filename=_Source.OSPath))
  WHERE ActionType =~ "insert" OR ActionType =~ "mount"
  GROUP BY DeviceSerial
  HAVING count() > 1
)

-- Investigate suspicious remote access sessions potentially enabled through vishing
SELECT 
  Pid,
  Name,
  CommandLine,
  Username,
  StartTime,
  Exe
FROM pslist()
WHERE Name =~ "(mstsc|teamviewer|anydesk|splashtop|logmein)"
  AND CommandLine =~ "(?:password|token|credential)"
  AND Username NOT IN ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")

Remediation Script (PowerShell)

PowerShell

# PowerShell script to enhance defenses against UNC3753 vishing and physical intrusion threats

# 1. Audit and restrict physical access logging
function Invoke-PhysicalAccessAudit {
    param(
        [string]$LogPath = "C:\Logs\PhysicalAccess",
        [int]$RetentionDays = 90
    )
    
    # Ensure log directory exists
    if (!(Test-Path $LogPath)) {
        New-Item -Path $LogPath -ItemType Directory -Force | Out-Null
    }
    
    # Review recent failed access attempts
    $FailedAttempts = Get-EventLog -LogName Security -InstanceId 4625 -ErrorAction SilentlyContinue |
                      Where-Object { $_.TimeWritten -gt (Get-Date).AddDays(-7) } |
                      Group-Object -Property ReplacementStrings[0] |
                      Where-Object { $_.Count -gt 3 }
    
    if ($FailedAttempts) {
        $FailedAttempts | Format-Table Name, Count -AutoSize
        $FailedAttempts | Export-Csv -Path "$LogPath\FailedAccess_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation
    }
}

# 2. Configure VoIP system security against vishing
function Set-VoIPSecurity {
    param(
        [string[]]$TrustedAreaCodes = @("214", "469", "972", "940"),  # Example for Dallas area
        [int]$MaxConcurrentCalls = 5
    )
    
    # Create firewall rules for VoIP traffic
    $RuleName = "Block Suspicious VoIP Traffic"
    
    # Check if rule exists
    $ExistingRule = Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue
    
    if (-not $ExistingRule) {
        New-NetFirewallRule -DisplayName $RuleName `
                            -Direction Inbound `
                            -Action Block `
                            -Enabled True `
                            -Profile Any `
                            -Description "Block VoIP traffic from untrusted sources" | Out-Null
        Write-Host "Created firewall rule: $RuleName"
    }
    
    # Log the configuration
    $LogEntry = @"
    $(Get-Date -Format "yyyy-MM-dd HH:mm:ss") - VoIP Security Configuration Applied:
    - Trusted Area Codes: $($TrustedAreaCodes -join ', ')
    - Max Concurrent Calls: $MaxConcurrentCalls
"@
    
    Add-Content -Path "C:\Logs\VoIPSecurity.log" -Value $LogEntry -Force
}

# 3. Harden endpoints against physical media connections
function Disable-USBStorage {
    # Check current USB storage status
    $USBStatus = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -ErrorAction SilentlyContinue
    
    if ($USBStatus.Start -ne 4) {
        Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -Name "Start" -Value 4 -ErrorAction Stop
        Write-Host "USB storage access disabled successfully"
    } else {
        Write-Host "USB storage access already disabled"
    }
    
    # Create audit policy for USB connections
    $AuditPolicy = auditpol /get /subcategory:"Removable Storage" 2>$null
    if ($AuditPolicy -notmatch "Success and Failure") {
        auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable | Out-Null
        Write-Host "Audit policy for Removable Storage configured"
    }
}

# 4. Configure endpoint isolation for sensitive workstations
function Set-EndpointIsolation {
    param(
        [string[]]$SensitiveGroups = @("Domain Admins", "Finance", "Legal")
    )
    
    foreach ($Group in $SensitiveGroups) {
        $GroupMembers = Get-ADGroupMember -Identity $Group -ErrorAction SilentlyContinue
        
        foreach ($Member in $GroupMembers) {
            if ($Member.objectClass -eq "user") {
                # Configure firewall rules for restricted network communication
                $RuleName = "Restrict $($Member.Name) Network Access"
                $ExistingRule = Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue
                
                if (-not $ExistingRule) {
                    New-NetFirewallRule -DisplayName $RuleName `
                                        -Direction Outbound `
                                        -Action Block `
                                        -Enabled True `
                                        -Profile Domain `
                                        -RemotePort 21,23,3389 `
                                        -Description "Restrict sensitive user outbound access" | Out-Null
                    Write-Host "Created network restriction for user: $($Member.Name)"
                }
            }
        }
    }
}

# Execute all defensive measures
Write-Host "Applying UNC3753 defensive measures..."
Invoke-PhysicalAccessAudit
Set-VoIPSecurity
Disable-USBStorage
Set-EndpointIsolation
Write-Host "All defensive measures applied successfully"

Remediation

Immediate Actions

Physical Security Assessment:
- Conduct immediate review of physical access logs for anomalies
- Verify identity of all third-party vendors currently on-site
- Implement "tailgating detection" protocols at all secure entrances
- Reinforce reception procedures for visitors with enhanced verification
Employee Awareness:
- Issue immediate security bulletin regarding UNC3753 vishing campaign
- Conduct urgent training on vishing recognition and reporting
- Establish verification protocol for unexpected sensitive requests via phone
- Create specific reporting channel for suspicious vishing attempts
Voice System Hardening:
- Implement call recording for all external interactions
- Configure caller ID verification for external numbers
- Establish callback verification procedures for sensitive requests
- Review VoIP system logs for suspicious patterns

Medium-Term Mitigations

Enhanced Access Control:
- Implement multi-factor authentication for physical access
- Deploy video analytics for anomaly detection at entry points
- Review and update badge access privileges for all personnel
- Implement "zero trust" principles for facility access
Vishing Detection Capabilities:
- Deploy telephony threat detection solutions
- Integrate call analytics with SOC monitoring tools
- Establish correlations between call logs and security incidents
- Implement automated blocking of known vishing numbers
Data Protection:
- Implement data loss prevention (DLP) for sensitive file types
- Encrypt sensitive data at rest and in transit
- Review and restrict external media access
- Implement secure printing and document handling procedures

Long-Term Controls

Security Culture Enhancement:
- Implement ongoing security awareness training with physical security components
- Conduct regular social engineering exercises including vishing simulations
- Establish security champions program for different departments
Technical Controls:
- Deploy physical security information management (PSIM) solutions
- Implement unified monitoring across digital and physical security domains
- Develop automated response playbooks for vishing and physical intrusion indicators

Official Guidance

Review CISA's Physical Security Guidelines: https://www.cisa.gov/physical-security
Consult NIST SP 800-53 Control Family: Physical and Environmental Protection (PE)
Follow FTC guidance on voice phishing: https://www.ftc.gov/phishing
Reference financial sector regulatory guidance (FFIEC, SEC) on social engineering defenses

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub