Description
Adversaries may create or tailor written materials to support targeting and malicious operations. Content may include phishing lures, fraudulent financial communications, fabricated job postings, fabricated employment credentials and documentation, decoy documents, social media persona content, and supporting narratives used to sustain fabricated personas over time.(Citation: GenAI Phishing)(Citation: GTIG AI Threat Tracker) Content may be authored manually, commissioned through third parties, or produced using AI-assisted tools.
Written materials may impersonate legitimate government correspondence, diplomatic communications, or internal organizational documents to support targeting efforts. AI-assisted tools may also be used to tailor content to specific targets, industries, or regions. For example, adversaries may leverage AI to translate content into a target's native language or mimic the communication style of trusted senders.
Written content produced through these methods may be used in support of other techniques, such as Phishing, Spearphishing via Service, Phishing for Information, Internal Spearphishing, Social Engineering, Financial Theft, or Establish Accounts.
Written content does not include malicious code or scripts; for development of malicious code and scripts, see Develop Capabilities.
Platforms
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on designing defenses that are not reliant on atomic indicators.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has generated email content impersonating official notifications and documents that direct victims t... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has created fake social media accounts such as LinkedIn and Telegram accounts for their ... |
References
- Adaptive Team. (2025, August 29). Generative AI Phishing: How to Defend in 2025. Retrieved March 26, 2026.
- Google Threat Intelligence Group . (2026, February 12). GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use. Retrieved March 25, 2026.
Frequently Asked Questions
What is T1683.001 (Written Content)?
T1683.001 is a MITRE ATT&CK technique named 'Written Content'. It belongs to the Resource Development tactic(s). Adversaries may create or tailor written materials to support targeting and malicious operations. Content may include phishing lures, fraudulent financial communications, fabricated job postings, fabr...
How can T1683.001 be detected?
Detection of T1683.001 (Written Content) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1683.001?
There are 1 documented mitigations for T1683.001. Key mitigations include: Pre-compromise.
Which threat groups use T1683.001?
Known threat groups using T1683.001 include: APT-C-36, Contagious Interview.