Description
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.
In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables Financial Theft.
Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as payment, request, or urgent to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.
Impersonation is typically preceded by reconnaissance techniques such as Gather Victim Identity Information and Gather Victim Org Information as well as acquiring infrastructure such as email domains (i.e. Domains) to substantiate their false identity.(Citation: Crowdstrike BEC)
There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)
Platforms
Mitigations (2)
User TrainingM1017
Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk.
Threat Intelligence ProgramM1019
Threat intelligence helps defenders and users be aware of and defend against common lures and active campaigns that have been used for impersonation.
Threat Groups (15)
| ID | Group | Context |
|---|---|---|
| G1033 | Star Blizzard | [Star Blizzard](https://attack.mitre.org/groups/G1033) has registered impersonation email accounts to spoof experts in a particular field or individua... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has also impersonated legitimate people, such as a foreign advisor, an embassy employee, and a think ... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has impersonated banks including Banco Davivienda, Bancolombia, and BBVA as well as government insti... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has impersonated individuals familiar to the victim and technical support associated with soci... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has sent targeted emails purporting to be from a Japanese political party’s PR department.(Citatio... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) utilized social engineering to compel IT help desk personnel to reset passwords and MFA toke... |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) has impersonated government and related entities in both phishing activity and developing web site... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has impersonated legitimate people in phishing emails to gain credentials.(Citation: Mandiant APT42-cha... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) impersonates help desk and IT support personnel for phishing and social engineering purposes durin... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used support@microsoftonlines[.]com to send phishing emails that masqueraded as security updat... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) had impersonated HR hiring personnel through social media, job board notifications, and ... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used utilized look-alike domains and graphics of trusted security solution providers to entice vict... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has called victims' help desk and impersonated legitimate users with previously gathered information ... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) impersonated an employee at a video game developer company to send phishing emails.(Citation: apt41_man... |
| G0007 | APT28 | [LAMEHUG](https://attack.mitre.org/software/S9035) has sent spearphishing emails impersonating Ukrainian government officials. (Citation: Cato LAMEHUG... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S9037 | RustyWater | Malware | [RustyWater](https://attack.mitre.org/software/S9037) has impersonated TMCell (Altyn Asyr CJSC), the primary mobile operator in Turkmenistan, sending ... |
| S1131 | NPPSPY | Tool | [NPPSPY](https://attack.mitre.org/software/S1131) creates a network listener using the misspelled label <code>logincontroll</code> recorded to the Reg... |
References
- Bart Lenaerts-Bergmans. (2023, August 8). What is Business Email Compromise?. Retrieved April 15, 2026.
- CloudFlare. (n.d.). What is vendor email compromise (VEC)?. Retrieved September 12, 2023.
Frequently Asked Questions
What is T1684.001 (Impersonation)?
T1684.001 is a MITRE ATT&CK technique named 'Impersonation'. It belongs to the Stealth tactic(s). Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims...
How can T1684.001 be detected?
Detection of T1684.001 (Impersonation) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1684.001?
There are 2 documented mitigations for T1684.001. Key mitigations include: User Training, Threat Intelligence Program.
Which threat groups use T1684.001?
Known threat groups using T1684.001 include: Star Blizzard, Kimsuky, APT-C-36, VOID MANTICORE, MirrorFace, Scattered Spider, Saint Bear, APT42.