T1684: Social Engineering

Social Engineering (T1684) matters because it can turn normal business workflows—help desk requests, SaaS consent prompts, financial approvals, recruiting conversations, email, collaboration tools, and voice communications—into paths for unauthorized access or sensitive information disclosure with few technical indicators. For executives, the key risk is not just phishing volume; it is whether trusted processes can be manipulated into user-authorized actions that bypass otherwise sound technical controls.

Executive priority

Prioritize this technique as a resilience and governance issue: confirm that high-risk human approval paths such as password resets, MFA changes, financial approvals, vendor interactions, and SaaS access grants have verification, auditability, and escalation controls. Because ATT&CK lists this under the stealth tactic and provides no specific detection text, leaders should ask whether the organization can produce evidence that these workflows are monitored, reviewed, and reinforced through training, account use policies, and auditing.

Technical view

SOC, detection, IAM, cloud, and IR teams should validate coverage across the listed platforms and channels: Linux, macOS, Windows, Office Suite, and SaaS. Focus on user-authorized events that may appear legitimate but create risk, including account recovery, MFA modification, consent or approval workflows, suspicious email sender identity patterns, and reports of impersonation. Relationship context highlights DET0899 Detect Social Engineering, mitigations M1017 User Training, M1036 Account Use Policies, and M1047 Audit, plus sub-techniques Impersonation (T1684.001) and Email Spoofing (T1684.002).

Likely telemetry

Email security logs and message headers, especially sender identity and spoofing-related evidence
Office Suite and SaaS audit logs for consent grants, approvals, account changes, and access changes
Identity provider logs for password resets, MFA enrollment or changes, login policy events, and account recovery activity
Help desk, ticketing, and support workflow records for user verification and account change requests
Collaboration platform and business communication records where retained and authorized

Detection direction

Because official ATT&CK detection text is not provided, treat detection as a validation exercise across business workflows rather than a single analytic.
Correlate identity changes, SaaS approvals, help desk tickets, and email or collaboration context to identify user-authorized actions preceded by suspicious requests.
Tune for high-risk outcomes such as MFA changes, password resets, financial approvals, SaaS consent grants, and disclosure requests, while accounting for legitimate support and business processes.
Use sub-technique context to test visibility for impersonation and email spoofing, including whether analysts can inspect relevant email headers and sender display artifacts.
Track user reporting as detection input; social engineering may minimize technical indicators, so absence of endpoint alerts should not be treated as absence of risk.

Mitigation priorities

Implement and maintain user training focused on recognizing, resisting, and reporting manipulative requests, including urgent, emotional, executive, vendor, help desk, voice, email, collaboration, and SaaS consent scenarios.
Strengthen account use policies for sensitive account actions, including appropriate restrictions, timeouts, and controls around account recovery and usage.
Ensure auditing is enabled and regularly reviewed for identity, SaaS, Office Suite, endpoint, and workflow systems involved in approvals or access changes.
Require verifiable procedures for password resets, MFA changes, vendor requests, and financial approvals so that trust is not based only on message appearance or caller identity.
Use incident response playbooks that include business-process evidence collection, not only host or network artifacts.

Analyst notes and limits

This ATT&CK object is broad and newly versioned in the supplied data. Its defensive value comes from mapping social engineering to the organization’s actual approval and identity workflows. The most important local questions are: which user actions can change access or money movement, who can approve them, what evidence is logged, and how quickly suspicious requests are reported and reviewed.

The official ATT&CK object does not provide detection text, and the related detection strategy is named but not described in the supplied fields. This take therefore avoids claiming specific detection coverage or active exploitation. Local telemetry, process design, retention, and privacy/legal constraints will determine practical monitoring options.

Official MITRE ATT&CK definition

Social Engineering

Adversaries may use social engineering techniques to influence users to take actions that result in unauthorized access, approval of changes, disclosure of sensitive information, or execution of adversary-supplied instructions (i.e., introduction of malicious payloads or software), while minimizing technical indicators.

Adversaries may leverage trust-building methods across multiple channels (e.g., executive, vendor, or help desk scenarios, including AI-enabled voice interactions) to prompt user-authorized actions such as password resets, MFA changes, financial approvals, or the disclosure of sensitive information. Adversaries may also leverage common business communications and workflows such as email, collaboration platforms, voice communications, recruiting processes, help desk interactions, and SaaS consent mechanisms to make malicious requests appear routine and legitimate.[1][2][3]

Additionally, adversaries have persuaded victims to take actions through references of current events, harnessing relevant themes to the work role or the organizations mission. For example, adversaries may use scare tactics (i.e., threaten repercussions for non-compliance) or otherwise incite victims’ emotions in order to generate a sense of urgency to take action.[4][5]

This technique may include common social engineering patterns such as Phishing and Spearphishing Voice, often supported by convincing and targeted narratives.[2][6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1684.002	Email Spoofing Sub-technique	Email Spoofing subtechnique of this object.
Enterprise	T1684.001	Impersonation Sub-technique	Impersonation subtechnique of this object.

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1036: Account Use Policies Enterprise subtechnique of · Technique T1684.002: Email Spoofing Enterprise mitigates · Mitigation M1047: Audit Enterprise subtechnique of · Technique T1684.001: Impersonation Enterprise detects · Detection Strategy DET0899: Detect Social Engineering Enterprise mitigates · Mitigation M1017: User Training Enterprise

Mitigations

Mitigation direction

M1036: Account Use Policies

Account Use Policies help mitigate unauthorized access by configuring and enforcing rules that govern how and when accounts can be used. These policies include enforcing account lockout mechanisms, restricting login times, and setting inactivity timeouts. Proper configuration of these policies reduces the risk of brute-force attacks, credential theft, and unauthorized access by limiting the opportunities for malicious actors to exploit accounts. This mitigation can be implemented through the following measures:

Account Lockout Policies:

- Implementation: Configure account lockout settings so that after a defined number of failed login attempts (e.g., 3-5 attempts), the account is locked for a specific time period (e.g., 15 minutes) or requires an administrator to unlock it. - Use Case: This prevents brute-force attacks by limiting how many incorrect password attempts can be made before the account is temporarily disabled, reducing the likelihood of an attacker successfully guessing a password.

- Implementation: Set up login time policies to restrict when users or groups can log into systems. For example, only allowing login during standard business hours (e.g., 8 AM to 6 PM) for non-administrative accounts. - Use Case: This prevents unauthorized access outside of approved working hours, where login attempts might be more suspicious or harder to monitor. For example, if an account that is only supposed to be active during the day logs in at 2 AM, it should raise an alert or be blocked.

Inactivity Timeout and Session Termination:

- Implementation: Enforce session timeouts after a period of inactivity (e.g., 10-15 minutes) and require users to re-authenticate if they wish to resume the session. - Use Case: This policy prevents attackers from hijacking active sessions left unattended. For example, if an employee walks away from their computer without locking it, an attacker with physical access to the system would be unable to exploit the session.

Password Aging Policies:

- Implementation: Enforce password aging rules, requiring users to change their passwords after a defined period (e.g., 90 days) and ensure passwords are not reused by maintaining a password history. - Use Case: This limits the risk of compromised passwords being used indefinitely. Regular password changes make it more difficult for attackers to reuse stolen credentials.

Account Expiration and Deactivation:

- Implementation: Configure user accounts, especially for temporary or contract workers, to automatically expire after a set date or event. Accounts that remain unused for a specific period should be deactivated automatically. - Use Case: This prevents dormant accounts from becoming an attack vector. For example, an attacker can exploit unused accounts if they are not properly monitored or deactivated.

**Tools for Implementation**:

- Group Policy Objects (GPOs) in Windows: To enforce account lockout thresholds, login time restrictions, session timeouts, and password policies. - Identity and Access Management (IAM) solutions: For centralized management of user accounts, session policies, and automated deactivation of accounts. - Security Information and Event Management (SIEM) platforms: To monitor and alert on unusual login activity, such as failed logins or out-of-hours access attempts. - Multi-Factor Authentication (MFA) Tools: To further enforce secure login attempts, preventing brute-force or credential stuffing attacks.

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Apr 14, 2026, 22:53 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 5e828e23781ecbdd...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`5e828e23781e…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Proofpoint TA427 April 2024

Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.
Open source URL
[2]
SE SentinelOne 2

SentinelOne. (2025, August 19). 15 Types of Social Engineering Attacks. Retrieved April 15, 2026.
Open source URL
[3]
SE - Hackers Target Workday

David Jones. (2025, August 19). Hackers target Workday in social engineering attack. Retrieved April 15, 2026.
Open source URL
[4]
SE Proofpoint

Proofpoint. (n.d.). What Is Social Engineering?. Retrieved April 15, 2026.
Open source URL
[5]
SE SentinelOne

SentinelOne. (2023, October 19). Social Engineering Attacks | How to Recognize and Resist The Bait. Retrieved April 15, 2026.
Open source URL
[6]
Fortinet Trends 25-26

Fortinet. (n.d.). Recent Cyber Attacks & Emerging Cybersecurity Trends. Retrieved April 15, 2026.
Open source URL
[7]
mitre-attack T1684
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams