Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.
In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables Financial Theft.
Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as payment, request, or urgent to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.
Impersonation is typically preceded by reconnaissance techniques such as Gather Victim Identity Information and Gather Victim Org Information as well as acquiring infrastructure such as email domains (i.e. Domains) to substantiate their false identity.[1]
There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.[2]
| ID | Name | Description |
|---|---|---|
| G0096 | APT41 |
APT41 impersonated an employee at a video game developer company to send phishing emails.[3] |
| C0027 | C0027 |
During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[4] |
| G1004 | LAPSUS$ |
LAPSUS$ has called victims' help desk and impersonated legitimate users with previously gathered information in order to gain access to privileged accounts.[5] |
| S1131 | NPPSPY |
NPPSPY creates a network listener using the misspelled label |
| C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.[7][8][9] |
| G1031 | Saint Bear |
Saint Bear has impersonated government and related entities in both phishing activity and developing web sites with malicious links that mimic legitimate resources.[10] |
| G1015 | Scattered Spider |
During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[4] Scattered Spider utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.[11][12] |
| ID | Mitigation | Description |
|---|---|---|
| M1019 | Threat Intelligence Program |
Threat intelligence helps defenders and users be aware of and defend against common lures and active campaigns that have been used for impersonation. |
| M1017 | User Training |
Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Review and monitor email and other user communication logs for signs of impersonation, such as suspicious emails (e.g., from known malicious or compromised accounts) or content associated with an adversary's actions on objective (e.g., abnormal monetary transactions). |