T1598: Phishing for Information
Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.
All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.[1][2][3][4][5] Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.[6]
Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by Email Spoofing[7] the identity of the sender, which can be used to fool both the human recipient as well as automated security tools.[8]
Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).[9][10]
Analyst context for executives and security teams
Phishing for Information is reconnaissance-stage social engineering aimed at getting people to reveal credentials or other useful targeting data, rather than immediately running malware. For leaders, the risk is that an incident may begin before endpoint alerts exist: the decisive evidence is often in email, messaging, identity, help desk, or voice-channel records and in how quickly users report suspicious requests.
Executive priority
Prioritize this as a business-resilience and identity-risk issue, not only an email-security issue. The ATT&CK object ties the behavior to credential harvesting, spoofed senders, third-party services, attachments, links, and voice/callback lures. Executives should ask whether the organization can prove training effectiveness, preserve message and call evidence, identify spoofing or compromised-account abuse, and respond when sensitive information may have been disclosed. ATT&CK also maps use of this technique to multiple named groups, which supports threat-informed prioritization without implying current exposure.
Technical view
T1598 is an enterprise reconnaissance technique on the PRE platform. MITRE provides no official detection text, but a related detection strategy, DET0823, exists. SOC and IR teams should validate coverage across the subtechnique patterns: spearphishing via service, attachment, link, and voice. Focus on evidence that shows solicitation of credentials or actionable information, sender impersonation or spoofing, urgent repeated requests, suspicious links or attachments, callback phone numbers, and possible mailbox manipulation such as hiding rules or header/metadata changes from compromised accounts.
Likely telemetry
- Inbound and outbound email message metadata, headers, authentication results, and sender/display-name details
- Email security gateway or mail platform logs for links, attachments, spoofing indicators, and user-reported messages
- Collaboration, instant messaging, and third-party service message logs where available
- Web proxy, DNS, and browser telemetry for visits to suspected credential collection pages referenced in messages
- Identity and cloud email audit logs, including OAuth application activity and mailbox rule changes where applicable
Detection direction
- Because MITRE does not provide official detection guidance for this object, validate local detections against DET0823 and the four listed subtechniques rather than assuming email-only coverage.
- Tune for phishing that seeks disclosure of information without malware execution; endpoint detections alone may miss the reconnaissance objective.
- Correlate suspicious messages with identity events, mailbox rule changes, OAuth application activity, and user reports to distinguish credential-harvesting or account-abuse preparation from ordinary spam.
- Review false positives around legitimate urgent business requests, third-party services, and help desk workflows; detections should preserve context for analyst review rather than rely only on single keywords.
- Include voice/callback and messaging channels in incident intake, since ATT&CK explicitly includes phone-number lures and electronic conversations beyond email.
Mitigation priorities
- Use M1017 User Training to teach employees and contractors how to recognize, verify, and report requests for credentials or sensitive business information, including urgent messages, spoofed identities, links, attachments, third-party services, and voice callbacks.
- Use M1054 Software Configuration to review security settings for email, collaboration, cloud mail, and related applications so they reduce spoofing, suspicious attachment/link exposure, and compromised-account misuse where supported.
- Sequence controls around reporting and response: make reporting easy, preserve original messages and headers, and define IR actions for suspected disclosure of credentials or other actionable information.
- Periodically test whether training, reporting paths, and configured controls produce usable evidence for SOC triage and compliance documentation.
Analyst notes and limits
Relationship context adds useful scoping: subtechniques cover service, attachment, link, and voice variants; mitigations are User Training and Software Configuration; several ATT&CK groups are mapped as using the technique. Treat those group relationships as threat-intelligence context, not proof of current targeting. The most important local validation question is whether the organization can see and investigate information-seeking social engineering before it becomes a later-stage identity or access incident.
The supplied ATT&CK object has no official detection section and does not provide environment-specific indicators, control settings, or guaranteed telemetry sources. Coverage depends on local email, messaging, identity, cloud, telephony, logging retention, and reporting processes. This take uses only the supplied ATT&CK fields, references, and relationships and does not assert active exploitation or customer exposure.
Phishing for Information
Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.
All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.[1][2][3][4][5] Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.[6]
Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by Email Spoofing[7] the identity of the sender, which can be used to fool both the human recipient as well as automated security tools.[8]
Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).[9][10]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1598.004 | Spearphishing Voice Sub-technique | Spearphishing Voice subtechnique of this object. |
| Enterprise | T1598.001 | Spearphishing Service Sub-technique | Spearphishing Service subtechnique of this object. |
| Enterprise | T1598.002 | Spearphishing Attachment Sub-technique | Spearphishing Attachment subtechnique of this object. |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Spearphishing Link subtechnique of this object. |
Groups, software, and campaigns
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
G0128: ZIRCONIUM
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
G1036: Moonstone Sleet
Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 0eb8f4dadcf5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ThreatPost Social Media Phishing
O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.
Open source URL -
[2]
TrendMictro Phishing
Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.
Open source URL -
[3]
PCMag FakeLogin
Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.
Open source URL -
[4]
Sophos Attachment
Ducklin, P. (2020, October 2). Serious Security: Phishing without links – when phishers bring along their own web pages. Retrieved October 20, 2020.
Open source URL -
[5]
GitHub Phishery
Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.
Open source URL -
[6]
Avertium callback phishing
Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023.
Open source URL -
[7]
Proofpoint-spoof
Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.
Open source URL -
[8]
cyberproof-double-bounce
Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023.
Open source URL -
[9]
Microsoft OAuth Spam 2022
Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.
Open source URL -
[10]
Palo Alto Unit 42 VBA Infostealer 2014
Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.
Open source URL -
[11]
mitre-attack T1598Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.