Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0857: Detection of Employee Names

This detection strategy is about recognizing activity related to adversaries collecting employee names during reconnaissance. For leaders, the significance...

EnterpriseDET0857Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about recognizing activity related to adversaries collecting employee names during reconnaissance. For leaders, the significance is that employee names are often the raw material for targeted phishing, email address guessing, impersonation, and other pre-attack planning. Because the ATT&CK object provides no official detection detail or platform scope, the main decision value is to verify whether the organization understands where employee identity information is exposed and whether SOC, threat intelligence, and brand-monitoring processes can spot suspicious collection or use of that information.

Executive priority

Treat this as an early-warning and exposure-management concern rather than a single technical alert. Security leaders should ask which employee directories, public websites, social media profiles, press releases, job postings, and other accessible sources expose names at scale, and whether that exposure is intentional, governed, and monitored. Priority is highest where employee names can be easily combined with predictable email formats, executive roles, privileged access, or sensitive business functions, because that can increase phishing and impersonation risk.

Technical view

The supplied relationship maps DET0857 to ATT&CK technique T1589.003, Employee Names, under reconnaissance on PRE. Since MITRE provides no official detection text, platforms, or tactics for the detection strategy itself, defenders should validate coverage around evidence of employee-name harvesting and downstream use rather than assume a prescribed analytic. Practical validation should include reviewing public-facing identity exposure, monitoring for abnormal scraping or enumeration of employee directory pages where logs exist, and correlating suspicious name-based targeting with phishing, impersonation, or reconnaissance cases.

Likely telemetry

  • Public website and directory access logs where employee names are published
  • Web application logs for pages that expose staff, leadership, contact, or directory information
  • Threat intelligence or brand-monitoring observations involving employee identity exposure
  • Email security and phishing-reporting data showing use of real employee names in lures
  • Identity and access management records useful for validating whether exposed names map to privileged or sensitive roles

Detection direction

  • Inventory where employee names are intentionally published and distinguish expected public access from unusual scraping, bulk access, or repeated enumeration patterns.
  • Correlate employee-name exposure with reported phishing or impersonation attempts, especially where lures reference real staff, teams, executives, or business functions.
  • Avoid treating the presence of employee names online as inherently malicious; focus detection on suspicious collection patterns, unusual access behavior, and downstream misuse.
  • Account for blind spots where data is collected from third-party platforms, social media, search engines, or other accessible datasets that may not generate telemetry controlled by the organization.
  • Because the ATT&CK detection strategy has no official detection logic, require local validation before representing this as a covered analytic in SOC metrics or compliance evidence.

Mitigation priorities

  • Reduce unnecessary publication of employee names where business value is low, especially for sensitive roles or teams.
  • Govern approved public identity exposure across websites, directories, recruiting content, executive pages, and externally accessible documents.
  • Coordinate identity, communications, legal, and security teams so exposure decisions consider phishing and impersonation risk.
  • Strengthen user reporting and email security processes for lures that use real employee names or internal role references.
  • Use exposure reviews and incident findings to prioritize awareness, executive protection, and monitoring for high-risk roles.
Analyst notes and limits

This object is a detection strategy with external ID DET0857 and is related to T1589.003 Employee Names. The most defensible use is to guide exposure review and early reconnaissance detection planning. It should not be presented as a complete detection rule because the official ATT&CK fields supplied here do not include detection logic, platforms, or a description for DET0857.

The supplied ATT&CK object is sparse: no official description, no official detection text, no platforms, and no tactics are specified for the detection strategy itself. Conclusions are limited to the provided relationship with T1589.003 and its reconnaissance context. Local telemetry, public exposure, and business role mapping are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Detection of Employee Names

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1589.003 Employee Names Sub-technique This object detects Employee Names.
Relationship explorer

All related ATT&CK context

detects · Technique T1589.003: Employee Names Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
94da3c3ea90f25ae...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 94da3c3ea90f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0857
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use