Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0823: Detection of Phishing for Information

DET0823 is a MITRE detection strategy for identifying phishing activity whose goal is information collection, not malware execution. The business issue is...

EnterpriseDET0823Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0823 is a MITRE detection strategy for identifying phishing activity whose goal is information collection, not malware execution. The business issue is that these messages can expose credentials or other actionable targeting details before a technical intrusion is visible. Because the strategy has no official detection text or platform scope supplied, organizations should treat it as a prompt to validate whether their email, identity, and user-reporting evidence can support investigations of reconnaissance-stage phishing.

Executive priority

Prioritize this as an early-warning and resilience question: can the organization recognize and respond when employees are being asked to disclose credentials or sensitive business information? Leaders should ask whether SOC processes, awareness reporting, identity controls, and incident response playbooks produce usable evidence before stolen information is used in later activity. This is also relevant to audit and compliance evidence where phishing reporting, credential protection, and response handling must be demonstrated.

Technical view

This detection strategy detects ATT&CK T1598, Phishing for Information, under reconnaissance, with the related technique platform listed as PRE. Since ATT&CK provides no official detection logic for DET0823, SOC and detection engineering teams should validate coverage around inbound phishing reports, suspicious message characteristics, credential-harvesting indicators, and identity events that may follow disclosure. IR teams should be prepared to determine whether information was divulged, what accounts or data are affected, and whether follow-on monitoring or credential resets are warranted.

Likely telemetry

  • Inbound email metadata and message content indicators where legally and operationally appropriate
  • User-reported phishing submissions and help desk/security mailbox tickets
  • Email security gateway or collaboration platform verdicts and quarantine records
  • Identity authentication logs, especially unusual sign-in attempts following reported messages
  • Web/proxy/DNS logs for links associated with credential or information collection pages

Detection direction

  • Validate that reported or detected messages are triaged for information-harvesting intent, not only malware attachments or payload execution.
  • Correlate phishing reports with identity activity to identify potential credential disclosure or attempted use after the message was received.
  • Tune for false positives from legitimate surveys, HR requests, vendor onboarding, and support workflows that ask for information but are authorized.
  • Track blind spots where personal email, unsanctioned messaging channels, or limited email retention prevent investigation.
  • Use the relationship to T1598 to keep this focused on reconnaissance-stage collection of sensitive information rather than code execution phishing.

Mitigation priorities

  • Confirm users have a simple, monitored path to report suspicious information requests.
  • Strengthen identity safeguards for accounts that could be exposed through information disclosure, including prompt investigation and credential reset procedures when warranted.
  • Review business processes that request sensitive information by email and reduce ambiguous workflows that resemble phishing.
  • Ensure incident response playbooks include scoping of what information may have been disclosed and what downstream monitoring is required.
  • Maintain evidence of phishing handling, user reporting, and response actions for compliance and readiness reviews.
Analyst notes and limits

The supplied ATT&CK detection strategy has no official description, no official detection guidance, and no platforms or tactics specified on the strategy itself. The practical interpretation comes from its relationship to T1598, Phishing for Information, which is described as reconnaissance activity aimed at eliciting credentials or other actionable information rather than executing malicious code.

This take cannot assert specific analytic logic, data source requirements, active exploitation, attribution, or guaranteed coverage because those details are not present in the supplied STIX fields. Local architecture, email systems, identity providers, logging retention, and reporting workflows determine actual detection and response capability.

Official MITRE ATT&CK definition

Detection of Phishing for Information

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1598 Phishing for Information This object detects Phishing for Information.
Relationship explorer

All related ATT&CK context

detects · Technique T1598: Phishing for Information Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
991220a60d8fc21c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 991220a60d8f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0823
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use