Skip to content

SC-107: Deepfake Voice CEO Fraud & Wire Transfer Attack

Operation SILK VOICE

Classification: TABLETOP EXERCISE — 100% Synthetic

All organizations, individuals, IP addresses, domains, financial details, and threat actors in this scenario are entirely fictional. Created for educational tabletop exercises only.

Scenario Metadata

Field Value
Difficulty ★★★★☆ (Advanced)
Duration 2-3 hours
Participants 4-8 (SOC, IR, Treasury, Legal, Communications)
ATT&CK Techniques T1566.004 · T1534 · T1059 · T1657 · T1078 · T1114
Threat Actor GOLDEN MIRROR (financially motivated, AI-enabled fraud)
Industry Manufacturing / Finance
Primary Impact Financial — $4.2M attempted wire transfer

Threat Actor Profile: GOLDEN MIRROR

Attribute Detail
Motivation Financial gain
Sophistication High — leverages commercial AI voice cloning, deepfake video
Known Targets Manufacturing, financial services, real estate (high-value wire transfers)
Avg. Dwell Time 2-4 weeks (reconnaissance before strike)
Signature Multi-channel social engineering: AI voice + spoofed email + SMS pressure
Tools Commercial voice cloning APIs, email spoofing infrastructure, VoIP with caller ID manipulation

Executive Summary

GOLDEN MIRROR conducts a sophisticated CEO impersonation attack against Meridian Manufacturing Group (synthetic). The threat actor spends 3 weeks collecting audio samples of CEO Sarah Chen from earnings calls, conference presentations, and podcast appearances — all publicly available. Using commercial AI voice cloning technology, they generate a convincing real-time voice deepfake capable of interactive conversation. The attack combines a deepfake voice call to the VP of Treasury with a spoofed email thread appearing to show prior authorization from the CFO and legal counsel. The attacker requests an "urgent" $4.2M wire transfer to a "confidential acquisition target." The fraud is detected when a treasury analyst notices the callback number provided doesn't match the CEO's known mobile number and initiates the company's verbal verification protocol.

Environment Setup

Target Organization: Meridian Manufacturing Group (synthetic)

Asset Detail
Industry Industrial manufacturing, 4,200 employees
Revenue $1.8B annual
HQ 10.1.0.0/16 corporate network
Email Microsoft 365, Defender for Office 365
Treasury System SAP S/4HANA, dual-approval wire transfers > $100K
Phone System Microsoft Teams + Cisco VoIP (caller ID enabled)
CEO Sarah Chen — frequent public speaker, 50+ hours of public audio available
VP Treasury Marcus Rodriguez — 12 years with company, direct report to CFO
CFO David Park — traveling internationally (Tokyo) during attack

Phase 1: Reconnaissance & Voice Cloning (T-21 to T-3 days)

Attacker Actions

GOLDEN MIRROR conducts extensive open-source intelligence gathering:

  1. Audio collection — Downloads 47 audio/video files of CEO Sarah Chen from:
  2. Quarterly earnings call recordings (investor relations website)
  3. Industry conference keynote (YouTube)
  4. Podcast interview (Spotify)
  5. Company promotional video (LinkedIn)

  6. Total: ~52 hours of clean voice samples

  7. Organizational mapping — Via LinkedIn, identifies:

  8. Treasury team structure (VP, 3 analysts, 1 manager)
  9. CFO travel schedule (Tokyo conference, posted on LinkedIn)
  10. CEO's communication patterns (time of calls, typical urgency language)

  11. Approval thresholds and dual-control policies (from job postings mentioning "SAP dual-approval workflows")

  12. Voice model training — Using commercial voice cloning API:

  13. Trains real-time voice conversion model on 52 hours of CEO audio
  14. Tests with 15-second delay for natural conversation flow

  15. Achieves 94% voice similarity score (synthetic metric)

  16. Infrastructure setup:

  17. Registers VoIP number with caller ID spoofing: displays as +1-555-0142 (CEO's known office line)
  18. Creates lookalike domain: meridian-mfg.example.com (vs legitimate meridian-manufacturing.example.com)
  19. Prepares spoofed email thread with forged headers

Evidence Artifacts

DNS Registration (T-14 days)

Domain: meridian-mfg.example.com
Registrar: Example Registrar Inc.
Created: 2026-03-29T14:22:00Z
Registrant: Privacy Protected
Name Servers: ns1.example-hosting.example.com
MX Records: mail.meridian-mfg.example.com

Discussion Injects

Technical

What publicly available information about your organization's executives could be used for voice cloning? How much audio is typically needed for a convincing deepfake?

Decision

Should your organization implement policies restricting executive audio/video distribution? What are the tradeoffs between public engagement and deepfake risk?

Phase 2: The Attack — Multi-Channel Social Engineering (T+0)

Timeline of Events

09:12 UTC — Spoofed email arrives in VP Treasury Marcus Rodriguez's inbox:

Spoofed Email Thread

From: Sarah Chen <s.chen@meridian-mfg.example.com>
To: Marcus Rodriguez <m.rodriguez@meridian-manufacturing.example.com>
CC: David Park <d.park@meridian-mfg.example.com>
Subject: RE: RE: Confidential — Strategic Acquisition — URGENT
Date: 2026-04-12T09:12:00Z

Marcus,

As discussed with David last week, we need to move on the Pinnacle 
acquisition TODAY. The seller has given us until 3pm ET or they walk. 
David approved the wire from Tokyo yesterday (see thread below).

Wire $4,200,000 to the escrow account:
  Bank: First National Trust (synthetic)
  Routing: 021000089
  Account: 7834-2291-0056
  Reference: MERIDIAN-PINNACLE-ACQ-2026

I'll call you in 5 minutes to confirm. This is highly confidential — 
do not discuss with anyone outside this thread until the deal closes.

Sarah

-------- Original Message --------
From: David Park <d.park@meridian-mfg.example.com>
To: Sarah Chen <s.chen@meridian-mfg.example.com>
Date: 2026-04-11T22:45:00Z

Sarah — approved. Let's get this done. Wire authority confirmed 
for up to $5M from operating account. Marcus can execute.

David
(sent from mobile)

09:17 UTC — Phone call to Marcus Rodriguez's desk phone:

Call Metadata

Caller ID: +1-555-0142 (matches CEO office line)
Duration: 4 minutes 23 seconds
Call Type: VoIP (SIP/RTP)
Audio Quality: High (16kHz, low latency)

Voice call content (reconstructed from Marcus's notes):

"Marcus, it's Sarah. Did you get my email about the Pinnacle deal? ... Yes, David and I have been working on this for three weeks. The board will be briefed after close. ... I know the amount is significant, but we've done deals this size before. The escrow account is standard — First National Trust handles all our M&A escrow. ... I need this wired by 2pm. Can you do that? ... Great. And Marcus — please keep this between us until the announcement. We don't want this leaking to the market."

Evidence Artifacts

Microsoft 365 Email Headers (Simplified)

Authentication-Results: spf=fail (sender IP 203.0.113.45 not 
  authorized for meridian-mfg.example.com); 
  dkim=none; dmarc=fail action=quarantine
X-MS-Exchange-Organization-SCL: 5
X-Forefront-Antispam-Report: SFV:SPM
Received: from mail.meridian-mfg.example.com (203.0.113.45)

VoIP SIP Log

2026-04-12T09:17:02Z INVITE sip:m.rodriguez@10.1.4.50
From: <sip:+15550142@198.51.100.77>
Via: SIP/2.0/UDP 198.51.100.77:5060
User-Agent: VoIP-Gateway/3.2.1
X-Originating-IP: 198.51.100.77

Detection Queries

// Detect emails from lookalike domains with DMARC/SPF failures
EmailEvents
| where Timestamp > ago(24h)
| where SenderFromDomain has_any ("meridian-mfg", "meridian-manufacturing")
| where AuthenticationDetails contains "spf=fail" 
    or AuthenticationDetails contains "dmarc=fail"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, 
    Subject, AuthenticationDetails, SenderIPv4

index=email sourcetype=o365:messageTrace earliest=-24h
| search sender_domain="*meridian*" 
| where spf_result="fail" OR dmarc_result="fail"
| table _time sender recipient subject src_ip spf_result dmarc_result

Discussion Injects

Technical

The email failed SPF and DMARC checks. Why did it still reach Marcus's inbox? What email security configurations could have prevented delivery?

Decision

Marcus received both an email and a phone call that appeared legitimate. At what point should he have become suspicious? What verification procedures should be standard for wire transfers?

Phase 3: Detection — The Callback That Saved $4.2M (T+45 minutes)

The Critical Moment

09:55 UTC — Treasury analyst Jennifer Walsh (Marcus's team member) notices Marcus preparing an urgent wire transfer and asks about it. Marcus mentions Sarah called directly.

10:02 UTC — Jennifer checks the internal directory: - CEO Sarah Chen's mobile: +1-555-0198 - The call came from: +1-555-0142 (CEO's office landline) - But Sarah Chen is working from home today (per her Teams status: "WFH")

10:05 UTC — Jennifer initiates the company's verbal verification protocol: - Calls Sarah Chen directly on her known mobile number (+1-555-0198) - Sarah confirms she did NOT send any email about an acquisition - Sarah confirms she did NOT call Marcus - Sarah immediately contacts the CFO David Park in Tokyo — he confirms no acquisition is in progress

10:08 UTC — Marcus halts the wire transfer (not yet submitted to the bank)

10:12 UTC — IR team activated, SOC begins investigation

Evidence Artifacts

Teams Presence Log

2026-04-12T08:00:00Z User: sarah.chen@meridian-manufacturing.example.com
Status: Available | Location: Remote | Device: Laptop (Home WiFi)
Last Activity: 09:45 UTC (Teams message to marketing team)

No outbound calls from sarah.chen's Teams account between 09:00-10:00 UTC

PBX Call Detail Record

Call ID: CDR-2026041209170234
Direction: Inbound
To: ext 4050 (Marcus Rodriguez)
From: +1-555-0142 (displayed)
Actual Source: 198.51.100.77 (VoIP gateway — NOT internal PBX)
Duration: 263 seconds
Recording: Available (compliance recording enabled)

Detection Queries

// Detect caller ID spoofing — calls showing internal numbers from external sources
CiscoVoIPLogs
| where TimeGenerated > ago(24h)
| where Direction == "Inbound"
| where CallerID_Display in (internal_executive_numbers)
| where SourceIP !startswith "10."
| project TimeGenerated, CallerID_Display, SourceIP, 
    DestinationExtension, Duration

index=voip sourcetype=cisco:cdr direction=inbound earliest=-24h
| where match(caller_id, "555-01(42|98|55)")
| where NOT cidrmatch("10.0.0.0/8", src_ip)
| table _time caller_id src_ip dest_ext duration
| sort -_time

Discussion Injects

Investigative

What specific technical evidence confirms this was a deepfake voice call rather than a legitimate call? How would you preserve the voice recording for forensic analysis?

Decision

The wire transfer was stopped because an analyst followed verification protocol. What if Marcus had been alone? How do you design controls that work even when only one person is involved?

Phase 4: Investigation & Attribution (T+2 hours to T+48 hours)

SOC Investigation Findings

Email forensics: - Sender domain meridian-mfg.example.com registered 14 days prior - SPF record for lookalike domain pointed to 203.0.113.45 (VPS in a hosting provider) - No DKIM signing — email was unsigned - DMARC policy for legitimate domain was p=quarantine (not reject) — email was quarantined but Marcus had checked his quarantine folder

Voice forensics: - Audio recording analyzed by forensic team - Spectral analysis reveals: consistent 16kHz ceiling (AI-generated audio typically lacks high-frequency harmonics above 16kHz that natural speech contains) - Micro-latency patterns: 150-300ms response delays inconsistent with natural conversation (AI processing delay) - Breathing patterns absent — natural speakers breathe; AI voice clones typically don't generate breathing artifacts

VoIP infrastructure: - Source IP 198.51.100.77 — VoIP provider offering caller ID spoofing as a feature - SIP headers show User-Agent: VoIP-Gateway/3.2.1 (not Cisco internal PBX) - Provider contacted — account registered with stolen identity

Financial trail: - Destination account (7834-2291-0056) flagged by bank's fraud team after company notification - Account opened 7 days prior with synthetic identity documents - No funds transferred (wire was halted before submission)

Detection Queries

// Hunt for other lookalike domain emails in the past 30 days
EmailEvents
| where Timestamp > ago(30d)
| where SenderFromDomain matches regex @"meridian.*(mfg|manuf|corp|group)"
| where SenderFromDomain != "meridian-manufacturing.example.com"
| summarize Count=count(), Recipients=make_set(RecipientEmailAddress) 
    by SenderFromDomain, SenderFromAddress
| sort by Count desc

index=email sourcetype=o365:messageTrace earliest=-30d
| regex sender_domain="meridian.*(mfg|manuf|corp|group)"
| where sender_domain!="meridian-manufacturing.example.com"
| stats count values(recipient) as recipients by sender_domain sender
| sort -count

Phase 5: Remediation & Controls Enhancement (T+48 hours to T+2 weeks)

Immediate Actions (First 24 hours)

  1. DMARC policy upgraded from p=quarantine to p=reject for primary domain
  2. Lookalike domain reported to registrar for takedown
  3. All wire transfer approvals suspended pending process review
  4. Company-wide alert: "Do not act on unusual financial requests without verbal verification via known numbers"
  5. Voice recording preserved as forensic evidence (chain of custody documented)

Long-term Controls

  1. Dual verbal verification — All wire transfers > $50K require callback to two separate known numbers
  2. Code word system — Rotating weekly code words for financial authorization (shared in person, never via email/phone)
  3. AI voice detection — Evaluate commercial deepfake detection solutions for integration with phone system
  4. DMARC enforcementp=reject with reporting enabled; monitor for lookalike domain registrations via brand monitoring service
  5. Executive audio policy — Risk assessment of publicly available executive audio; consider limiting live audio distribution
  6. Treasury training — Quarterly deepfake awareness exercises with simulated attack attempts

ATT&CK Mapping

Phase Technique ID Tactic
Recon Gather Victim Identity Information T1589 Reconnaissance
Recon Search Victim-Owned Websites T1594 Reconnaissance
Weaponize Develop Capabilities T1587 Resource Development
Delivery Phishing: Spearphishing Voice T1566.004 Initial Access
Delivery Internal Spearphishing T1534 Lateral Movement
Execution Command and Scripting Interpreter T1059 Execution
Impact Financial Theft T1657 Impact
Persistence Valid Accounts (Email) T1078 Defense Evasion

Lessons Learned

  1. AI-generated voice is indistinguishable to untrained ears — Technical controls (callback verification, code words) are more reliable than human voice recognition
  2. Multi-channel attacks are more convincing — Email alone might have been questioned; email + phone call created a compelling illusion of legitimacy
  3. DMARC policy mattersquarantine vs reject is the difference between "user might see it" and "user never sees it"
  4. The human firewall works when trained — Jennifer Walsh's instinct to verify saved $4.2M because she followed established protocol
  5. Publicly available executive media is a deepfake risk — 52 hours of audio made voice cloning trivial

Cross-References