UNC3753: The Evolution of Vishing and Physical Intrusion Tactics
Just caught the latest report from Mandiant and GTIG regarding UNC3753. It is genuinely alarming to see the resurgence of physical intrusion tactics combined with sophisticated vishing campaigns targeting professional and financial services.
Between January and May 2026, this group didn't just rely on phishing emails; they actively targeted personnel to gain physical access or bypass security controls via social engineering. This highlights a massive gap in how we often silo our physical security teams from our SOC operations.
Since the report emphasizes the hybrid nature of these attacks, I’ve been tuning our detection logic to look for anomalies in physical access logs correlated with helpdesk calls or MFA fatigue events. Here is a basic KQL query I'm using to hunt for after-hours physical access anomalies in our Azure Sentinel environment:
PhysicalAccessLogs
| where TimeGenerated > ago(90d)
| where ActionType == "Door Open"
| extend Hour = datetime_part("Hour", TimeGenerated)
| where Hour between(18 .. 6) // After hours
| summarize Count = count() by UserID, Location
| where Count > 2
| project UserID, Location, Count
We are also tightening our visitor management policies, but technical controls only go so far against a determined actor willing to walk through the front door.
Is anyone else seeing a convergence in their red team exercises where physical access is the primary vector for network compromise? How are you validating your physical security logs against digital alerts?
We actually faced a similar attempt last quarter (not attributed to UNC3753, but similar TTPs). The attackers called our helpdesk claiming to be locked out of the VPN while 'on-site' to get a password reset, then used that badge to piggyback into the server room.
We've since implemented a policy requiring callback verification to the employee's mobile number on file for any access request, even if they claim to be standing right there. It slows things down, but it stopped the vishing dead in its tracks.
From a pentester's perspective, physical security is almost always the soft underbelly for financial clients. I've walked into data centers with nothing more than a high-vis vest and a clipboard carrying a box of 'donuts'.
Technical controls are great, but if you haven't tested your reception staff's ability to verify identity against a live directory photo, you're vulnerable. I recommend running internal 'social engineering' drills focused specifically on tailgating and vishing scenarios to train staff without shaming them.
Solid query, thanks for sharing. I'd suggest cross-referencing that with your VoIP logs if you can. In cases like this, you might see the vishing attempt hitting the call center just hours or minutes before the physical access event.
Get-CsCallDetailRecord -StartDate "1/1/2026" -EndDate "5/31/2026" |
Where-Object { $_.DestinationNumber -like "*+1800*" -or $_.CallerId -like "*Anonymous*" }
correlating telephony data with badge-in events is a high-signal method for catching these blended attacks.
To bridge that gap Dana mentioned, try correlating PACS data with vishing timelines. If a social engineering attempt hits the helpdesk, check for badge anomalies or forced doors near that timestamp to see if the caller is physically present. You can spot patterns by running a quick lookup against your access management system:
grep "2026-01-20" /var/log/access.log | awk '$4 > "08:00" && $4 < "17:00"'
Validating physical claims with digital telemetry is essential. We should cross-reference badge-in times with EDR logon events. If an account authenticates via VPN hours after the last physical badge swipe—or from a location inconsistent with the badge entry—it's a strong indicator of vishing success.
Try this KQL query to identify those time discrepancies:
DeviceLogonEvents
| where LogonType == "RemoteInteractive"
| project Timestamp, AccountName, IPAddress
| join kind=leftanti (
PhysicalAccessLogs
| where Timestamp > ago(4h)
| summarize LastBadge = max(Timestamp) by AccountName
| project AccountName, LastBadge
) on AccountName
| extend TimeDiff = Timestamp - LastBadge
| where TimeDiff > 4h
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access