T1683.001: Written Content
Adversaries may create or tailor written materials to support targeting and malicious operations. Content may include phishing lures, fraudulent financial communications, fabricated job postings, fabricated employment credentials and documentation, decoy documents, social media persona content, and supporting narratives used to sustain fabricated personas over time.[1][2] Content may be authored manually, commissioned through third parties, or produced using AI-assisted tools.
Written materials may impersonate legitimate government correspondence, diplomatic communications, or internal organizational documents to support targeting efforts. AI-assisted tools may also be used to tailor content to specific targets, industries, or regions. For example, adversaries may leverage AI to translate content into a target's native language or mimic the communication style of trusted senders.
Written content produced through these methods may be used in support of other techniques, such as Phishing, Spearphishing via Service, Phishing for Information, Internal Spearphishing, Social Engineering, Financial Theft, or Establish Accounts.
Written content does not include malicious code or scripts; for development of malicious code and scripts, see Develop Capabilities.
Analyst context for executives and security teams
Written Content is pre-compromise preparation: adversaries create tailored text such as phishing lures, fake job postings, fraudulent financial messages, decoy documents, persona narratives, or impersonated organizational correspondence. Its business importance is that convincing language can make later phishing, social engineering, fraud, account creation, and information-gathering more credible before malware or account abuse is visible.
Executive priority
Treat this as an early-warning and resilience issue, not only an email-security issue. Leaders should ask whether the organization can recognize impersonation of its brand, executives, hiring processes, financial workflows, and internal document style before a campaign becomes an incident. Priority should go to controls and evidence that reduce pre-compromise exposure, support rapid fraud/social-engineering triage, and demonstrate due diligence for awareness, reporting, and pre-compromise monitoring.
Technical view
This sub-technique sits under Generate Content in the Resource Development tactic on the PRE platform. MITRE provides no official detection text, but a related detection strategy, DET0917 Detection of Written Content, is linked. SOC, detection, and IR teams should validate coverage around suspicious written materials used to enable Phishing, Spearphishing via Service, Phishing for Information, Internal Spearphishing, Social Engineering, Financial Theft, and Establish Accounts. Reviews should focus on whether tailored narratives, impersonated correspondence, AI-assisted translation or style mimicry, fake hiring material, decoy documents, and persona-supporting content are visible in available pre-compromise, messaging, and reporting channels.
Likely telemetry
- User-reported suspicious emails, messages, job offers, financial requests, and document lures
- Email, collaboration, messaging, and service-based communication metadata and content where collection is authorized
- Brand, executive, recruiter, finance, and government/diplomatic impersonation reports
- Fraud, phishing, and social-engineering case records from SOC, help desk, HR, finance, and legal teams
- External-facing evidence of fabricated personas, job postings, employment credentials, or organizational narratives when monitoring is authorized
Detection direction
- Validate whether DET0917 or equivalent analytic logic exists in the environment; MITRE does not provide detailed detection logic in the supplied object.
- Tune detections and triage playbooks around business context: impersonated executives, finance workflows, recruiting processes, diplomatic/government-style correspondence, internal document themes, and trusted-sender mimicry.
- Correlate suspicious written content with downstream behaviors named by ATT&CK relationships, especially phishing, phishing for information, internal spearphishing, social engineering, financial theft, and establish accounts.
- Account for false positives: legitimate recruiting, multilingual communications, executive assistance, legal/finance correspondence, and marketing content can resemble adversary-prepared narratives.
- Check blind spots in non-email channels such as collaboration platforms, service-based messaging, social media personas, and externally hosted job or credential content, subject to policy and legal constraints.
Mitigation priorities
- Apply pre-compromise mitigation priorities consistent with M1056: reduce exposed information that helps adversaries tailor convincing written content.
- Harden business processes most likely to be abused by written lures, especially payment changes, credential requests, hiring outreach, document sharing, and executive-directed exceptions.
- Maintain clear reporting paths and response ownership for suspected impersonation, fabricated job postings, fraudulent financial communications, and suspicious decoy documents.
- Use awareness and verification procedures that emphasize narrative quality and impersonation risk, not only spelling errors or obviously malicious attachments.
- Ensure incident response can preserve examples of suspicious written content and connect them to related phishing, fraud, account, or social-engineering investigations.
Analyst notes and limits
The relationship context links this behavior to APT-C-36 and Contagious Interview, but that should be used only as threat-intelligence context, not as evidence of current targeting or attribution in a local environment. The supplied references also note AI-assisted content generation and tailoring, so defenders should avoid relying on poor grammar as a primary detection assumption.
Official ATT&CK detection text is not provided, and the related DET0917 strategy details are not supplied here. This object is PRE-platform resource-development behavior, so telemetry may be indirect, policy-constrained, and dependent on user reporting, external monitoring, and business-process records. Local validation is required to determine actual visibility and control effectiveness.
Written Content
Adversaries may create or tailor written materials to support targeting and malicious operations. Content may include phishing lures, fraudulent financial communications, fabricated job postings, fabricated employment credentials and documentation, decoy documents, social media persona content, and supporting narratives used to sustain fabricated personas over time.[1][2] Content may be authored manually, commissioned through third parties, or produced using AI-assisted tools.
Written materials may impersonate legitimate government correspondence, diplomatic communications, or internal organizational documents to support targeting efforts. AI-assisted tools may also be used to tailor content to specific targets, industries, or regions. For example, adversaries may leverage AI to translate content into a target's native language or mimic the communication style of trusted senders.
Written content produced through these methods may be used in support of other techniques, such as Phishing, Spearphishing via Service, Phishing for Information, Internal Spearphishing, Social Engineering, Financial Theft, or Establish Accounts.
Written content does not include malicious code or scripts; for development of malicious code and scripts, see Develop Capabilities.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1683 | Generate Content | This object subtechnique of Generate Content. |
Groups, software, and campaigns
G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
G1052: Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ada9e2b3d30d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GenAI Phishing
Adaptive Team. (2025, August 29). Generative AI Phishing: How to Defend in 2025. Retrieved March 26, 2026.
Open source URL -
[2]
GTIG AI Threat Tracker
Google Threat Intelligence Group . (2026, February 12). GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use. Retrieved March 25, 2026.
Open source URL -
[3]
mitre-attack T1683.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.