DET0917: Detection of Written Content
DET0917 is a detection strategy for identifying adversary-created written material used during resource development, such as phishing lures, fraudulent fin...
Analyst context for executives and security teams
DET0917 is a detection strategy for identifying adversary-created written material used during resource development, such as phishing lures, fraudulent financial communications, fabricated job postings, decoy documents, persona content, and supporting narratives. Its business value is early warning: these materials may appear before direct technical intrusion, so organizations need a way to capture, review, and escalate suspicious content tied to their brand, workforce, partners, or business processes.
Executive priority
Prioritize this as a readiness and risk-triage question: can the organization recognize malicious or fraudulent written content before it drives credential loss, social engineering, financial fraud, or incident escalation? Because the ATT&CK object provides no official detection logic or platforms, leaders should treat coverage as a process-and-evidence gap assessment rather than a single tooling control.
Technical view
SOC, IR, and threat intelligence teams should validate whether suspicious written content is collected, preserved, and correlated with resource-development activity related to T1683.001 Written Content. Useful validation includes reviewing workflows for reported phishing lures, fraudulent business communications, fabricated job or employment materials, decoy documents, and social media persona narratives. Since no official detection text is supplied, detections should be locally defined around observed content artifacts, reporting channels, and escalation criteria.
Likely telemetry
- Reported phishing lures and associated message content
- Fraudulent financial communication samples reported by users or business teams
- Suspicious job postings, employment credentials, or documentation referencing the organization
- Decoy documents or lure documents collected during investigations
- Social media persona content and supporting narratives relevant to targeting
Detection direction
- Confirm that suspicious written content has an intake path from users, executives, HR, finance, legal, and security teams.
- Tune review processes to distinguish malicious impersonation or lure content from legitimate recruiting, finance, marketing, or partner communications.
- Correlate content artifacts with the related ATT&CK context: T1683.001 Written Content under resource development.
- Document blind spots where content exists outside monitored channels, such as third-party platforms or external social media locations.
- Because MITRE supplies no detection procedure for DET0917, require local evidence, analyst review criteria, and repeatable escalation thresholds.
Mitigation priorities
- Establish reporting and preservation procedures for suspicious written content.
- Define ownership across SOC, incident response, threat intelligence, communications, HR, finance, and legal where fabricated content may appear.
- Use awareness and business-process controls to reduce reliance on unverified written requests or personas.
- Maintain evidence suitable for incident response, executive decision-making, and compliance/audit review when fraudulent content affects business processes.
- Review coverage periodically because this behavior occurs in pre-compromise/resource-development contexts where endpoint or network telemetry may not be available.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description, no official detection text, and no specified platforms or tactics. The only behavioral context comes from its relationship to T1683.001 Written Content, which describes adversary-created or tailored written materials used to support targeting and malicious operations.
This take cannot assert specific tools, data sources, detection analytics, active exploitation, attribution, or guaranteed coverage. Local collection sources, business workflows, and external monitoring scope determine whether this detection strategy is practical in a given environment.
Detection of Written Content
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1683.001 | Written Content Sub-technique | This object detects Written Content. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e82fc69e65e8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0917Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.