Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.
In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables Financial Theft.
Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as payment, request, or urgent to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.
Impersonation is typically preceded by reconnaissance techniques such as Gather Victim Identity Information and Gather Victim Org Information as well as acquiring infrastructure such as email domains (i.e. Domains) to substantiate their false identity.[1]
There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.[2]
| ID | Name | Description |
|---|---|---|
| G0096 | APT41 |
APT41 impersonated an employee at a video game developer company to send phishing emails.[3] |
| G1044 | APT42 |
APT42 has impersonated legitimate people in phishing emails to gain credentials.[4][5] |
| C0027 | C0027 |
During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[6] |
| G1052 | Contagious Interview |
Contagious Interview had impersonated HR hiring personnel through social media, job board notifications, and conducted interviews with victims in order to entice them to download malware disguised as legitimate applications or malicious scripts from code repositories.[7][8][9][10][11][12][13][14] |
| G0094 | Kimsuky |
Kimsuky has impersonated academic institutions and NGOs in order to gain information related to North Korea.[15] |
| G1004 | LAPSUS$ |
LAPSUS$ has called victims' help desk and impersonated legitimate users with previously gathered information in order to gain access to privileged accounts.[16] |
| S1131 | NPPSPY |
NPPSPY creates a network listener using the misspelled label |
| C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.[18][19][20] |
| G1031 | Saint Bear |
Saint Bear has impersonated government and related entities in both phishing activity and developing web sites with malicious links that mimic legitimate resources.[21] |
| C0059 | Salesforce Data Exfiltration |
During Salesforce Data Exfiltration, threat actors impersonated IT support personnel in voice calls with victims at times claiming to be addressing enterprise-wide connectivity issues.[22][23] |
| G1015 | Scattered Spider |
Scattered Spider utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.[24][25] Scattered Spider has also used Microsoft Teams to pose as internal IT support or help desk personnel.[26] |
| G1046 | Storm-1811 |
Storm-1811 impersonates help desk and IT support personnel for phishing and social engineering purposes during initial access to victim environments.[27] |
| ID | Mitigation | Description |
|---|---|---|
| M1019 | Threat Intelligence Program |
Threat intelligence helps defenders and users be aware of and defend against common lures and active campaigns that have been used for impersonation. |
| M1017 | User Training |
Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0286 | Detection Strategy for Impersonation | AN0792 |
Monitor for anomalous email activity originating from Windows-hosted applications (e.g., Outlook) where the sending account name or display name does not match the underlying SMTP address. Detect abnormal volume of outbound messages containing sensitive keywords (e.g., 'payment', 'wire transfer') or anomalous login locations for accounts associated with email sending activity. |
| AN0793 |
Monitor mail server logs (Postfix, Sendmail, Exim) for anomalous From headers mismatching authenticated SMTP identities. Detect abnormal relay attempts, spoofed envelope-from values, or large-scale outbound campaigns targeting internal users. |
||
| AN0794 |
Monitor Mail.app activity or unified logs for anomalous SMTP usage, including mismatches between display name and authenticated AppleID or Exchange credentials. Detect use of third-party mail utilities that attempt to send on behalf of corporate identities. |
||
| AN0795 |
Monitor SaaS mail platforms (Google Workspace, M365, Okta-integrated apps) for SendAs/SendOnBehalfOf operations where the delegated permissions are unusual or newly granted. Detect impersonation attempts where adversaries configure rules to auto-forward or auto-reply with impersonated content. |
||
| AN0796 |
Monitor Office Suite applications (Outlook, Word mail merge, Excel macros) for abnormal automated message sending, especially when macros or scripts trigger email delivery. Detect patterns of impersonation language (urgent, payment, executive request) combined with anomalous execution of Office macros. |