T1683: Generate Content
Adversaries may create or generate content to support targeting and operations. This content may be used to establish personas, impersonate known individuals or organizations, and support Social Engineering, fraud, or influence activities. Written materials, audio, images, video, or other media may be developed and tailored to the target and objective.[1]
Content development may occur prior to or during an operation. Adversaries may develop or generate content in-house, source it through third parties, or produce it using AI-assisted tools. Adversaries may use AI to research targets, develop pretexts, and better understand the organizations and individuals they intend to target or deceive prior to generating content (i.e., Query Public AI Services); for obtaining access to AI tools used in content generation, see Artificial Intelligence.
Content may be leveraged in support of techniques such as Phishing, Phishing for Information, Social Engineering, Financial Theft, or Establish Accounts. Generated or developed content does not include malicious code or scripts (i.e., Develop Capabilities and Artificial Intelligence).
Analyst context for executives and security teams
Generate Content is a pre-compromise resource-development behavior: adversaries create written, audio, image, video, or other media to make later targeting more believable. For leaders, the risk is not the content itself but how it can improve phishing, social engineering, fraud, impersonation, and account-establishment attempts before a conventional security alert exists.
Executive priority
Treat this as an exposure and readiness issue, not only a SOC detection problem. Executives should ask whether the organization can recognize impersonation, synthetic or tailored communications, and fraudulent narratives before they trigger payment, credential, hiring, access, or incident-response decisions. This technique also supports audit evidence around pre-compromise risk reduction, brand/persona protection, and resilience against social engineering.
Technical view
ATT&CK places T1683 in Resource Development on the PRE platform, with no official detection text provided. Detection engineering should therefore validate indirect visibility: suspicious reuse of executive or organizational identity, abnormal externally hosted personas or accounts, tailored phishing or phishing-for-information lures, and content that supports social engineering or financial theft. The related sub-techniques separate written content from audio-visual content, so playbooks should not focus only on email text; they should also account for synthetic voice, images, video, profile media, documents, and other supporting narratives. DET0916 is listed as detecting this object, but no detection details were supplied here, so local implementation must be verified.
Likely telemetry
- Email security and phishing-report metadata for tailored lures and fraudulent communications
- Collaboration, messaging, and helpdesk records where social engineering attempts are reported
- Brand, domain, social media, and account monitoring for impersonation or fabricated personas
- Fraud, finance, HR, recruiting, and vendor-management case records involving suspicious narratives or documents
- Identity and access request logs where new accounts, persona claims, or access justifications are involved
Detection direction
- Map detection and triage to the PRE/resource-development stage; many indicators may appear outside endpoint or network telemetry.
- Validate whether DET0916 or any local equivalent is actually implemented, tuned, and producing reviewable evidence.
- Correlate generated-content indicators with related ATT&CK behaviors named in the object: phishing, phishing for information, social engineering, financial theft, and establish accounts.
- Include both T1683.001 written content and T1683.002 audio-visual content in reporting and escalation paths.
- Expect false positives from legitimate marketing, recruiting, sales, media, and executive communications; prioritize impersonation, unauthorized use of identity, suspicious requests, and links to access or financial workflows.
Mitigation priorities
- Prioritize M1056 Pre-compromise measures: reduce externally useful information, increase the difficulty of adversary preparation, and look for preparation activity before access is obtained.
- Harden business processes that generated content is likely to influence, especially payment changes, credential requests, recruiting interactions, vendor onboarding, and executive-directed exceptions.
- Create verification paths for high-risk communications that do not rely solely on the apparent realism of text, voice, image, or video content.
- Ensure phishing, fraud, identity, and incident-response teams share evidence of impersonation and fabricated personas instead of treating each report as an isolated message.
- Use tabletop or control-validation exercises to test whether teams can escalate suspicious written and audio-visual content before compromise.
Analyst notes and limits
The supplied object is new in ATT&CK release 19.1 and focuses on content creation in support of later operations. A related ATT&CK campaign, C0062 Anthropic AI-orchestrated Campaign, is listed as using this technique, and the object references AI-assisted content generation, but this take does not generalize that into claims of current customer exposure or universal attacker use.
MITRE provides no official detection text for T1683 in the supplied fields, and the DET0916 relationship includes no implementation detail. Telemetry and control guidance therefore require local validation against the organization’s communication channels, public presence, identity workflows, fraud processes, and incident-response intake.
Generate Content
Adversaries may create or generate content to support targeting and operations. This content may be used to establish personas, impersonate known individuals or organizations, and support Social Engineering, fraud, or influence activities. Written materials, audio, images, video, or other media may be developed and tailored to the target and objective.[1]
Content development may occur prior to or during an operation. Adversaries may develop or generate content in-house, source it through third parties, or produce it using AI-assisted tools. Adversaries may use AI to research targets, develop pretexts, and better understand the organizations and individuals they intend to target or deceive prior to generating content (i.e., Query Public AI Services); for obtaining access to AI tools used in content generation, see Artificial Intelligence.
Content may be leveraged in support of techniques such as Phishing, Phishing for Information, Social Engineering, Financial Theft, or Establish Accounts. Generated or developed content does not include malicious code or scripts (i.e., Develop Capabilities and Artificial Intelligence).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1683.002 | Audio-Visual Content Sub-technique | Audio-Visual Content subtechnique of this object. |
| Enterprise | T1683.001 | Written Content Sub-technique | Written Content subtechnique of this object. |
Groups, software, and campaigns
C0062: Anthropic AI-orchestrated Campaign
The Anthropic AI-orchestrated Campaign was conducted in September 2025 by a likely China nexus espionage actor identified as GTG-1002. The Anthropic AI-orchestrated Campaign was a highly coordinated operation that manipulated Claude Code to perform reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations at approximately 30 entities in the technology, financial, chemical, and government sectors. During the Anthropic AI-orchestrated Campaign, human operators used Claude Code agents and Model Context Protocol (MCP) tools to automate cyber operations. Operators broke attacks into discrete tasks, used crafted prompts, and established personas to bypass AI guardrails, enabling the agents to execute the operations with minimal human involvement.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 82f891852e56… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
IBM AI-Generated Content
Tim Mucci. (n.d.). What is AI-Generated Content?. Retrieved April 22, 2026.
Open source URL -
[2]
mitre-attack T1683Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.