1. Home
  2. Techniques
  3. Enterprise
  4. Generate Content
  5. Written Content

Generate Content: Written Content

ID Name
T1683.001 Written Content
T1683.002 Audio-Visual Content

Adversaries may create or tailor written materials to support targeting and malicious operations. Content may include phishing lures, fraudulent financial communications, fabricated job postings, fabricated employment credentials and documentation, decoy documents, social media persona content, and supporting narratives used to sustain fabricated personas over time.[1][2] Content may be authored manually, commissioned through third parties, or produced using AI-assisted tools.

Written materials may impersonate legitimate government correspondence, diplomatic communications, or internal organizational documents to support targeting efforts. AI-assisted tools may also be used to tailor content to specific targets, industries, or regions. For example, adversaries may leverage AI to translate content into a target's native language or mimic the communication style of trusted senders.

Written content produced through these methods may be used in support of other techniques, such as Phishing, Spearphishing via Service, Phishing for Information, Internal Spearphishing, Social Engineering, Financial Theft, or Establish Accounts.

Written content does not include malicious code or scripts; for development of malicious code and scripts, see Develop Capabilities.

ID: T1683.001
Sub-technique of:  T1683
Tactic: Resource Development
Platforms: PRE
Version: 1.0
Created: 25 March 2026
Last Modified: 20 April 2026
Version Permalink

Procedure Examples

ID Name Description
G0099 APT-C-36

APT-C-36 has generated email content impersonating official notifications and documents that direct victims to execute malicious payloads.[3]
G1052 Contagious Interview

Contagious Interview has created fake social media accounts such as LinkedIn and Telegram accounts for their targeting efforts.[4]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on designing defenses that are not reliant on atomic indicators.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0917 Detection of Written Content AN2060

Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

References

  1. Adaptive Team. (2025, August 29). Generative AI Phishing: How to Defend in 2025. Retrieved March 26, 2026.
  2. Google Threat Intelligence Group . (2026, February 12). GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use. Retrieved March 25, 2026.
  1. Global Research & Analysis Team, Kaspersky. (2024, August 19). BlindEagle flying high in Latin America. Retrieved April 16, 2026.
  2. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.