Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1683.002: Audio-Visual Content

Adversaries may create or manipulate audio, image, and video content to support targeting and malicious operations. Adversaries may also use synthetic voice recordings, real-time altered audio or video during live interactions, fabricated profile photos and identity documents, or video content depicting fabricated or impersonated individuals.[1]

Content may be produced manually through editing tools, generated using AI-assisted tools, or produced using third-party synthetic services.[2][3] AI-assisted tools have enabled adversaries to produce synthetic media at scale and generate content that is more difficult to identify as inauthentic.

Audio-visual content produced through these methods may be used in support of other techniques, such as Phishing, Spearphishing via Service, Phishing for Information, Internal Spearphishing, Social Engineering, Financial Theft, or Establish Accounts.

EnterpriseT1683.002Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Audio-Visual Content is a pre-compromise resource-development behavior: adversaries may create or manipulate images, audio, video, profile photos, identity documents, or live audio/video to make later targeting, phishing, social engineering, fraud, or account-establishment efforts more believable. For leaders, the risk is not the media file itself; it is that trust-based business processes can be pressured by realistic synthetic or edited content before malware or a conventional intrusion is visible.

Executive priority

Treat this as a readiness issue for high-trust workflows: executive approvals, finance requests, recruiting, help desk identity verification, account creation, and external communications. Because ATT&CK provides no official detection text for this sub-technique, priority should be on proving that teams have verification procedures, escalation paths, and evidence collection for suspicious audio, image, and video-enabled interactions. This supports incident decision-making, fraud prevention, social-engineering resilience, and audit evidence around pre-compromise controls.

Technical view

This sub-technique is in the PRE platform and Resource Development tactic, so SOC coverage will often depend on process telemetry and human-reported signals rather than endpoint alerts. Detection engineering should validate what can be observed around media-backed interactions that lead into related ATT&CK behaviors such as Phishing, Spearphishing via Service, Phishing for Information, Internal Spearphishing, Social Engineering, Financial Theft, and Establish Accounts. The relationship to DET0918 indicates a detection strategy exists, but the supplied object includes no detection details; teams should therefore document local analytic assumptions and avoid claiming automated coverage without testing.

Likely telemetry

  • User reports of suspicious calls, video meetings, images, documents, profiles, or identity claims
  • Email, messaging, collaboration, and meeting metadata associated with media-based requests
  • Help desk, HR, recruiting, finance, and account-registration case records tied to identity verification or approval decisions
  • Attachments, URLs, file metadata, and message content where audio, image, or video artifacts are submitted or linked
  • Logs or records for new account creation, profile changes, and verification attempts when media artifacts are part of the workflow

Detection direction

  • Inventory where audio, image, or video content can influence approvals, identity proofing, payment, hiring, or access decisions.
  • Create triage paths for suspicious media-supported requests, especially when they involve urgency, identity claims, credential requests, financial action, or account creation.
  • Tune detections and case routing around the downstream behaviors named by ATT&CK, including phishing, social engineering, financial theft, and establishing accounts.
  • Account for false positives: legitimate edited media, accessibility tools, marketing content, remote interviews, and normal video conferencing artifacts can resemble suspicious content without malicious context.
  • Because the object has no official detection text, require validation through tabletop exercises, red-team/social-engineering simulations where appropriate, and review of actual reporting and escalation records.

Mitigation priorities

  • Prioritize pre-compromise controls consistent with M1056: reduce exposed information that enables impersonation and make adversarial preparation harder.
  • Require out-of-band verification for high-risk requests involving money movement, credential disclosure, account creation, sensitive data, or executive approval.
  • Harden help desk, finance, HR, recruiting, and account-registration procedures so audio-visual content alone is not sufficient proof of identity or authority.
  • Train users and frontline teams to report suspicious synthetic or manipulated media without needing to prove it is fake.
  • Preserve evidence and escalation records so incident response can connect media-backed pre-compromise activity to later phishing, social engineering, or fraud attempts.
Analyst notes and limits

ATT&CK lists this as a sub-technique of Generate Content and relates it to APT-C-36 and Contagious Interview use. Those relationships should be treated as ATT&CK context, not as evidence that those groups are active in a specific environment. The most useful local question is whether business processes can resist convincing media-backed impersonation before technical compromise occurs.

The supplied ATT&CK object provides no official detection guidance and lists the platform as PRE, which limits direct host, network, or cloud telemetry assumptions. Any claims of coverage require local evidence from communications platforms, workflow systems, reporting channels, and incident records.

Official MITRE ATT&CK definition

Audio-Visual Content

Adversaries may create or manipulate audio, image, and video content to support targeting and malicious operations. Adversaries may also use synthetic voice recordings, real-time altered audio or video during live interactions, fabricated profile photos and identity documents, or video content depicting fabricated or impersonated individuals.[1]

Content may be produced manually through editing tools, generated using AI-assisted tools, or produced using third-party synthetic services.[2][3] AI-assisted tools have enabled adversaries to produce synthetic media at scale and generate content that is more difficult to identify as inauthentic.

Audio-visual content produced through these methods may be used in support of other techniques, such as Phishing, Spearphishing via Service, Phishing for Information, Internal Spearphishing, Social Engineering, Financial Theft, or Establish Accounts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1683 Generate Content This object subtechnique of Generate Content.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0099: APT-C-36

APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1056: Pre-compromise Enterprise detects · Detection Strategy DET0918: Detection of Audio-Visual Content Enterprise subtechnique of · Technique T1683: Generate Content Enterprise uses · Group G0099: APT-C-36 Enterprise uses · Group G1052: Contagious Interview Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
909a2f285f3e3255...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 909a2f285f3e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Nov AI Threat Tracker

    Google Threat Intelligence Group. (2025, November 5). GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools. Retrieved March 31, 2026.

    Open source URL
  2. [2]
    FBI 2025 AI Generate Content

    Internet Crime Complaint Center, FBI. (2025). Federal Bureau of Investigation Internet Crime Report, 2025. Retrieved April 17, 2026.

    Open source URL
  3. [3]
    Europol Deepfakes

    Europol. (2022). FACING REALITY? LAW ENFORCEMENT AND THE CHALLENGE OF DEEPFAKES. Retrieved April 17, 2026.

    Open source URL
  4. [4]
    mitre-attack T1683.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use