Description
Adversaries may use social engineering techniques to influence users to take actions that result in unauthorized access, approval of changes, disclosure of sensitive information, or execution of adversary-supplied instructions (i.e., introduction of malicious payloads or software), while minimizing technical indicators.
Adversaries may leverage trust-building methods across multiple channels (e.g., executive, vendor, or help desk scenarios, including AI-enabled voice interactions) to prompt user-authorized actions such as password resets, MFA changes, financial approvals, or the disclosure of sensitive information. Adversaries may also leverage common business communications and workflows such as email, collaboration platforms, voice communications, recruiting processes, help desk interactions, and SaaS consent mechanisms to make malicious requests appear routine and legitimate.(Citation: Proofpoint TA427 April 2024)(Citation: SE SentinelOne 2)(Citation: SE - Hackers Target Workday)
Additionally, adversaries have persuaded victims to take actions through references of current events, harnessing relevant themes to the work role or the organizations mission. For example, adversaries may use scare tactics (i.e., threaten repercussions for non-compliance) or otherwise incite victims’ emotions in order to generate a sense of urgency to take action.(Citation: SE Proofpoint)(Citation: SE SentinelOne)
This technique may include common social engineering patterns such as Phishing and Spearphishing Voice, often supported by convincing and targeted narratives.(Citation: SE SentinelOne 2)(Citation: Fortinet Trends 25-26)
Platforms
Sub-Techniques (2)
Mitigations (3)
Account Use PoliciesM1036
Adds verification for helpdesk resets, approvals, and app consents commonly targeted by impersonation.(Citation: SE SentinelOne 2)(Citation: SE - Hackers Target Workday)
AuditM1047
Enables correlation of email/identity/SaaS/endpoint activity that appears legitimate.(Citation: Proofpoint TA427 April 2024)(Citation: Unit 42 Global Incident Response Report 2026)
User TrainingM1017
Reduces success of phishing/vishing/impersonation and modern “human interface” lures.(Citation: SE SentinelOne 2)(Citation: Sophos User Interaction)(Citation: Unit 42 Global Incident Response Report 2026)
References
- David Jones. (2025, August 19). Hackers target Workday in social engineering attack. Retrieved April 15, 2026.
- Fortinet. (n.d.). Recent Cyber Attacks & Emerging Cybersecurity Trends. Retrieved April 15, 2026.
- Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.
- Proofpoint. (n.d.). What Is Social Engineering?. Retrieved April 15, 2026.
- SentinelOne. (2023, October 19). Social Engineering Attacks | How to Recognize and Resist The Bait. Retrieved April 15, 2026.
- SentinelOne. (2025, August 19). 15 Types of Social Engineering Attacks. Retrieved April 15, 2026.
Frequently Asked Questions
What is T1684 (Social Engineering)?
T1684 is a MITRE ATT&CK technique named 'Social Engineering'. It belongs to the Stealth tactic(s). Adversaries may use social engineering techniques to influence users to take actions that result in unauthorized access, approval of changes, disclosure of sensitive information, or execution of adver...
How can T1684 be detected?
Detection of T1684 (Social Engineering) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1684?
There are 3 documented mitigations for T1684. Key mitigations include: Account Use Policies, Audit, User Training.
Which threat groups use T1684?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.