Automated SIP INVITE requests initiating direct call setup toward a numeric extension, indicating scripted VoIP interaction rather than passive capability probing. The client attempts to establish a call session (e.g., extension-to-extension dialing such as 100 → 100) using high-entropy Call-ID values, a pattern frequently associated with automated dialers, toll-fraud reconnaissance, or PBX abuse tooling. These interactions validate whether the endpoint accepts call initiation and may precede brute-force registration attempts, relay abuse, or fraudulent outbound call campaigns.

Automated SIP OPTIONS requests used to validate reachable VoIP endpoints and enumerate service capabilities without initiating a call session. The client sends standalone OPTIONS probes with high-entropy or unusually long Call-ID values, a pattern commonly associated with scripted scanning frameworks or VoIP reconnaissance tooling. Such activity is typically observed during infrastructure discovery phases where attackers identify responsive SIP servers, supported methods, and potential targets for toll fraud, brute-force registration attempts, or later exploitation campaigns.