M1017: User Training
User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:
Create Comprehensive Training Programs:
- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.
Use Simulated Exercises:
- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.
Leverage Gamification and Engagement:
- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.
Incorporate Security Policies into Onboarding:
- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.
Regular Refresher Courses:
- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.
Emphasize Real-World Scenarios:
- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.
Analyst context for executives and security teams
User Training is a broad mitigation for attacks that depend on people taking an action, misreading a prompt, trusting a disguised file, installing an extension, using cloud/software deployment workflows, or mishandling credentials. Its business value is not “awareness” by itself; it is whether employees and contractors can recognize, avoid, and report behaviors that may lead to credential theft, valid account abuse, user execution, drive-by compromise, and persistence through extensions.
Executive priority
Treat this as a resilience and evidence program, not a one-time compliance exercise. Leaders should ask whether training is tailored to the organization’s real risk profile, whether high-risk roles such as executives and helpdesk staff receive role-specific content, and whether simulations produce measurable follow-up. Because ATT&CK maps this mitigation to credential access, valid accounts, cloud accounts, malicious links/files/images, browser or IDE extensions, and software deployment tools, training should be prioritized where a single user action could affect identity security, cloud access, or enterprise-wide administration.
Technical view
MITRE provides no detection guidance for this mitigation, so SOC and IR teams should validate operational outcomes rather than treat training as telemetry. Confirm that user reporting channels feed triage workflows, that phishing and social-engineering simulation results are reviewed with detection engineers, and that role-specific scenarios cover the related ATT&CK behaviors: OS credential dumping and LSASS/SAM/NTDS/LSA/cached credential risks, Valid Accounts including Domain and Cloud Accounts, User Execution via malicious links/files/images, MFA interception, masquerading including double extensions, drive-by compromise, browser/IDE extensions, browser session hijacking, and abuse of software deployment tools.
Likely telemetry
- Training completion and refresher records for employees and contractors
- Role-specific training records for high-risk users such as executives and helpdesk staff
- Phishing simulation results, susceptibility metrics, and targeted follow-up records
- Social engineering drill outcomes and exception handling records
- User-submitted reports of suspicious emails, links, files, prompts, extensions, or cloud images
Detection direction
- Do not measure coverage by completion rate alone; validate whether user reports create timely, actionable SOC cases.
- Tune reporting workflows to reduce noise while preserving low-friction escalation for suspected phishing, malicious files, suspicious credential prompts, unauthorized extensions, and questionable cloud/container images.
- Compare simulation outcomes with real incident reports to identify departments, roles, or workflows that need targeted follow-up.
- Use relationship context to test whether users recognize double extensions, masqueraded files, unexpected MFA or credential prompts, malicious links, and risky extension or image installation paths.
- Account for blind spots: training does not detect OS credential dumping, valid account abuse, or software deployment tool misuse by itself; those require technical telemetry and response playbooks.
Mitigation priorities
- Start with a risk-profile-based training program covering phishing, password management, incident reporting, and user-driven execution scenarios.
- Add role-specific training for high-risk populations, including executives, helpdesk staff, administrators, developers, and users of cloud or software deployment workflows when applicable.
- Run recurring phishing simulations and social engineering drills, then provide targeted follow-up rather than generic reminders.
- Embed security training into onboarding with clear acceptable-use and reporting procedures.
- Refresh content regularly to include emerging adversary techniques and realistic scenarios tied to credential theft, account abuse, malicious files/links/images, extensions, and deceptive prompts.
Analyst notes and limits
The most important decision point is whether the organization can prove behavior change and reporting effectiveness. For Glexia-style defensive planning, this mitigation should be mapped to identity and access management, SOC intake, incident response readiness, cloud governance, and compliance evidence. Its relationship set is broad, so local prioritization should be based on which related techniques are most relevant to the organization’s users, platforms, and business-critical workflows.
The ATT&CK object does not specify platforms or tactics for the mitigation and provides no official detection text. The relationships indicate techniques this mitigation may help address, but local evidence is required to determine effectiveness. No claims are made about active exploitation, attribution, customer exposure, or guaranteed detection coverage.
User Training
User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:
Create Comprehensive Training Programs:
- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.
Use Simulated Exercises:
- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.
Leverage Gamification and Engagement:
- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.
Incorporate Security Policies into Onboarding:
- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.
Regular Refresher Courses:
- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.
Emphasize Real-World Scenarios:
- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | Users can be trained to identify social engineering techniques and spearphishing messages with malicious links. |
| Enterprise | T1566.004 | Spearphishing Voice Sub-technique | Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.CitationCISA Phishing |
| Enterprise | T1204 | User Execution | Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
| Enterprise | T1213.003 | Code Repositories Sub-technique | Develop and publish policies that define acceptable information to be stored in code repositories. |
| Enterprise | T1552 | Unsecured Credentials | Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
| Enterprise | T1213.006 | Databases Sub-technique | Develop and publish policies that define acceptable information to be stored in databases and acceptable handling of customer data. Only store information required for business operations. |
| Enterprise | T1036 | Masquerading | Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks. |
| Enterprise | T1213 | Data from Information Repositories | Develop and publish policies that define acceptable information to be stored in repositories. |
| Enterprise | T1598 | Phishing for Information | Users can be trained to identify social engineering techniques and spearphishing attempts. |
| Enterprise | T1213.001 | Confluence Sub-technique | Develop and publish policies that define acceptable information to be stored in Confluence repositories. |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
| Enterprise | T1557.002 | ARP Cache Poisoning Sub-technique | Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Users can be trained to identify social engineering techniques and spearphishing attempts. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. |
| Enterprise | T1213.005 | Messaging Applications Sub-technique | Develop and publish policies that define acceptable information to be posted in chat applications. |
| Enterprise | T1598.004 | Spearphishing Voice Sub-technique | Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.CitationCISA Phishing |
| Enterprise | T1213.004 | Customer Relationship Management Software Sub-technique | Develop and publish policies that define acceptable information to be stored in CRM databases and acceptable handling of customer data. Only store customer information required for business operations. |
| Enterprise | T1684.001 | Impersonation Sub-technique | Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk. |
| Enterprise | T1598.001 | Spearphishing Service Sub-technique | Users can be trained to identify social engineering techniques and spearphishing attempts. |
| Enterprise | T1557 | Adversary-in-the-Middle | Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
| Enterprise | T1003.005 | Cached Domain Credentials Sub-technique | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| Enterprise | T1003 | OS Credential Dumping | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| Enterprise | T1003.003 | NTDS Sub-technique | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| Enterprise | T1185 | Browser Session Hijacking | Close all browser sessions regularly and when they are no longer needed. |
| Enterprise | T1072 | Software Deployment Tools | Have a strict approval policy for use of deployment systems. |
| Enterprise | T1204.003 | Malicious Image Sub-technique | Train users to be aware of the existence of malicious images and how to avoid deploying instances and containers from them. |
| Enterprise | T1657 | Financial Theft | Train and encourage users to identify social engineering techniques used to enable financial theft. Also consider training users on procedures to prevent and respond to swatting and doxing, acts increasingly deployed by financially motivated groups to further coerce victims into satisfying ransom/extortion demands.CitationCyber Safety Review Board: LapsusCitationSWAT-hospital |
| Enterprise | T1555.005 | Password Managers Sub-technique | Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials. |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
| Enterprise | T1036.007 | Double File Extension Sub-technique | Train users to look for double extensions in filenames, and in general use training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
| Enterprise | T1111 | Multi-Factor Authentication Interception | Remove smart cards when not in use. |
| Enterprise | T1204.005 | Malicious Library Sub-technique | Train developers to be aware of the existence of malicious libraries and how to avoid installing them. |
| Enterprise | T1528 | Steal Application Access Token | Users need to be trained to not authorize third-party applications they don’t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications. |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials. |
| Enterprise | T1598.002 | Spearphishing Attachment Sub-technique | Users can be trained to identify social engineering techniques and spearphishing attempts. |
| Enterprise | T1176.002 | IDE Extensions Sub-technique | Train users to minimize IDE extension use, and to only install trusted extensions. |
| Enterprise | T1176 | Software Extensions | Train users to minimize extension use, and to only install trusted extensions. |
| Enterprise | T1221 | Template Injection | Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents. |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials). |
| Enterprise | T1556.001 | Domain Controller Authentication Sub-technique | Train users to recognize and handle suspicious email attachments. Emphasize the importance of caution when opening attachments from unknown or unexpected sources, even if they appear legitimate. Implement email warning banners to alert users about emails originating from outside the organization or containing attachments, reinforcing awareness and helping users identify potential spearphishing attempts. |
| Enterprise | T1557.004 | Evil Twin Sub-technique | Train users to be suspicious about access points marked as “Open” or “Unsecure” as well as certificate errors. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
| Enterprise | T1176.001 | Browser Extensions Sub-technique | Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run. |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Users can be trained to identify social engineering techniques and spearphishing emails. |
| Enterprise | T1189 | Drive-by Compromise | Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
| Enterprise | T1213.002 | Sharepoint Sub-technique | Develop and publish policies that define acceptable information to be stored in SharePoint repositories. |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Use email warning banners to alert users when emails contain links from external senders, prompting them to exercise caution and reducing the likelihood of falling victim to spearphishing attacks. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. |
| Enterprise | T1684 | Social Engineering | Reduces success of phishing/vishing/impersonation and modern “human interface” lures.CitationSE SentinelOne 2CitationSophos User InteractionCitationUnit 42 Global Incident Response Report 2026 |
| Enterprise | T1552.008 | Chat Messages Sub-technique | Ensure that developers and system administrators are aware of the risk associated with sharing unsecured passwords across communication services. |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
| Enterprise | T1204.002 | Malicious File Sub-technique | Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| Enterprise | T1078 | Valid Accounts | Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
| Enterprise | T1566 | Phishing | Users can be trained to identify social engineering techniques and phishing emails. |
| Enterprise | T1667 | Email Bombing | Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful social engineering via e-mail bombing. |
| Enterprise | T1027 | Obfuscated Files or Information | Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software. |
| Enterprise | T1547.007 | Re-opened Applications Sub-technique | Holding the Shift key while logging in prevents apps from opening automatically.CitationRe-Open windows on Mac |
| Enterprise | T1539 | Steal Web Session Cookie | Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets. |
| Enterprise | T1621 | Multi-Factor Authentication Request Generation | Train users to only accept 2FA/MFA requests from login attempts they initiated, to review source location of the login attempt prompting the 2FA/MFA requests, and to report suspicious/unsolicited prompts. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | b8d3c5e78723… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1017Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.