Adversaries may use social engineering techniques to influence users to take actions that result in unauthorized access, approval of changes, disclosure of sensitive information, or execution of adversary-supplied instructions (i.e., introduction of malicious payloads or software), while minimizing technical indicators.
Adversaries may leverage trust-building methods across multiple channels (e.g., executive, vendor, or help desk scenarios, including AI-enabled voice interactions) to prompt user-authorized actions such as password resets, MFA changes, financial approvals, or the disclosure of sensitive information. Adversaries may also leverage common business communications and workflows such as email, collaboration platforms, voice communications, recruiting processes, help desk interactions, and SaaS consent mechanisms to make malicious requests appear routine and legitimate.[1][2][3]
Additionally, adversaries have persuaded victims to take actions through references of current events, harnessing relevant themes to the work role or the organizations mission. For example, adversaries may use scare tactics (i.e., threaten repercussions for non-compliance) or otherwise incite victims’ emotions in order to generate a sense of urgency to take action.[4][5]
This technique may include common social engineering patterns such as Phishing and Spearphishing Voice, often supported by convincing and targeted narratives.[2][6]
| ID | Mitigation | Description |
|---|---|---|
| M1036 | Account Use Policies |
Adds verification for helpdesk resets, approvals, and app consents commonly targeted by impersonation.[2][3] |
| M1047 | Audit |
Enables correlation of email/identity/SaaS/endpoint activity that appears legitimate.[1][7] |
| M1017 | User Training |
Reduces success of phishing/vishing/impersonation and modern "human interface" lures.[2][8][7] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0899 | Detect Social Engineering | AN2037 |
Detects users executing commands copied from chats, tickets, or emails, including curl|bash patterns, shell script launches from temp directories, credential changes, or SSH key additions shortly after communication events. |
| AN2035 |
Detects user execution of newly received content or instructions shortly after external communication, including script launches, Office child process spawning, browser-to-script execution chains, or credential prompts followed by new logon sessions. |
||
| AN2034 |
Detects consent grants, password resets, role changes, external sharing, or token creation shortly after user interaction with messages, invites, or help desk workflows. Emphasis is placed on unusual requester relationships, new device context, or off-hours approvals. |
||
| AN2033 |
Detects suspicious inbound communications or collaboration requests followed by rapid sensitive user actions such as file sharing changes, macro enablement, OAuth consent, credential submission, or financial workflow approvals that deviate from historical relationships or normal approval patterns. |
||
| AN2036 |
Detects user-authorized execution of downloaded content or scripts after communication prompts, including browser downloads followed by osascript, shell, or installer execution and subsequent network activity. |