EXPLORE
← Back to Explore
T1656

Impersonation

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Establ...

LinuxmacOSOffice SuiteSaaSWindows
223
Detections
2
Sources
8
Threat Actors

BY SOURCE

222sublime1elastic

PROCEDURES (58)

Email Security21 detections

Auto-extracted: 21 detections for email security

Impersonat17 detections

Auto-extracted: 17 detections for impersonat

Email16 detections

Auto-extracted: 16 detections for email

Service14 detections

Auto-extracted: 14 detections for service

Attachment13 detections

Auto-extracted: 13 detections for attachment

Suspicious12 detections

Auto-extracted: 12 detections for suspicious

Impersonat10 detections

Auto-extracted: 10 detections for impersonat

Network Connection Monitoring9 detections

Auto-extracted: 9 detections for network connection monitoring

General Monitoring9 detections

Auto-extracted: 9 detections for general monitoring

Email8 detections

Auto-extracted: 8 detections for email

Authentication Monitoring7 detections

Auto-extracted: 7 detections for authentication monitoring

Phish6 detections

Auto-extracted: 6 detections for phish

Suspicious5 detections

Auto-extracted: 5 detections for suspicious

Attachment5 detections

Auto-extracted: 5 detections for attachment

Impersonat4 detections

Auto-extracted: 4 detections for impersonat

Bypass4 detections

Auto-extracted: 4 detections for bypass

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Credential4 detections

Auto-extracted: 4 detections for credential

Remote3 detections

Auto-extracted: 3 detections for remote

Office3 detections

Auto-extracted: 3 detections for office

Cloud2 detections

Auto-extracted: 2 detections for cloud

Unusual2 detections

Auto-extracted: 2 detections for unusual

Attachment2 detections

Auto-extracted: 2 detections for attachment

Attachment2 detections

Auto-extracted: 2 detections for attachment

Credential2 detections

Auto-extracted: 2 detections for credential

Phish2 detections

Auto-extracted: 2 detections for phish

Service2 detections

Auto-extracted: 2 detections for service

Phish2 detections

Auto-extracted: 2 detections for phish

Aws2 detections

Auto-extracted: 2 detections for aws

Attachment2 detections

Auto-extracted: 2 detections for attachment

Service1 detections

Auto-extracted: 1 detections for service

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

Token1 detections

Auto-extracted: 1 detections for token

Service1 detections

Auto-extracted: 1 detections for service

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

Evasion1 detections

Auto-extracted: 1 detections for evasion

Evasion1 detections

Auto-extracted: 1 detections for evasion

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Token1 detections

Auto-extracted: 1 detections for token

Phish1 detections

Auto-extracted: 1 detections for phish

Cloud1 detections

Auto-extracted: 1 detections for cloud

Bypass1 detections

Auto-extracted: 1 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

Email1 detections

Auto-extracted: 1 detections for email

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Attachment1 detections

Auto-extracted: 1 detections for attachment

Office1 detections

Auto-extracted: 1 detections for office

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Bypass1 detections

Auto-extracted: 1 detections for bypass

DETECTIONS (223)

Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
sublimemedium
AnonymousFox indicators
sublimehigh
Attachment: Calendar file with invisible Unicode characters
sublimehigh
Attachment: Calendar invite with Google redirect and invoice request
sublimemedium
Attachment: Canva PDF with susupicious author metadata
sublimehigh
Attachment: Credit card application with WhatsApp contact
sublimemedium
Attachment: Duplicated header pages in fraudulent multi-page PDF Request for Quotation
sublimemedium
Attachment: EML with Sharepoint link likely unrelated to sender
sublimemedium
Attachment: Encrypted zip file with payment-related lure
sublimemedium
Attachment: Fake lawyer & sports agent identities
sublimehigh
Attachment: Fictitious invoice using LinkedIn's address
sublimemedium
Attachment: ICS calendar file with suspicious UID domain
sublimemedium
Attachment: ICS file with meeting prefix
sublimehigh
Attachment: ICS with employee policy review lure
sublimehigh
Attachment: Invoice and W-9 PDFs with suspicious creators
sublimehigh
Attachment: Legal themed message or PDF with suspicious indicators
sublimemedium
Attachment: Link to Doubleclick.net open redirect
sublimemedium
Attachment: PDF bid/proposal lure with credential theft indicators
sublimemedium
Attachment: PDF contains W9 or invoice YARA signatures
sublimemedium
Attachment: PDF file with link to fake Bitcoin exchange
sublimelow
Attachment: PDF file with recipient domain and ATT eCheckRun pattern
sublimemedium
Attachment: PDF generated with wkhtmltopdf tool and default title
sublimelow
Attachment: PDF Object Hash associated with a fake invoice and a W-9
sublimehigh
Attachment: PDF with fake invoice using suspicious font sizing
sublimemedium
Attachment: PDF with self-service platform links with self sender or blank recipients
sublimemedium
Attachment: PDF with specific W-9 lure
sublimemedium
Attachment: PDF with suspicious internal object reference identifier
sublimemedium
Attachment: PDF with W-9 form indicators
sublimehigh
Attachment: RFP/RFQ impersonating government entities
sublimehigh
Attachment: Romance scam with image lure and advance-fee or suspicious link indicators
sublimemedium
Attachment: USDA bid invitation impersonation
sublimemedium
BEC with unusual reply-to or return-path mismatch
sublimehigh
BEC: Employee impersonation with subject manipulation
sublimehigh
BEC: Executive coaching vendor impersonation
sublimemedium
BEC: Financial fraud from newly registered sender domain
sublimemedium
BEC/Fraud: Fake investment outreach from suspicious TLD
sublimemedium
BEC/Fraud: Generic scam attempt to undisclosed recipients
sublimelow
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
sublimemedium
BEC/Fraud: Penpal scam
sublimemedium
BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
sublimemedium
BEC/Fraud: Romance scam
sublimemedium
BEC/Fraud: Scam lure with freemail pivot
sublimelow
BEC/Fraud: Student loan callback phishing
sublimemedium
BEC/Fraud: Unsolicited business acquisition offer
sublimemedium
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
sublimemedium
Body: Embedded email headers indicative of thread hijacking/abuse
sublimemedium
Body: Invisible Unicode obfuscation student loan callback phishing
sublimemedium
Body: PayApp transaction reference pattern
sublimemedium
Body: Yellow highlighted text markers
sublimelow
Brand impersonation: AARP
sublimemedium
Brand impersonation: Aquent
sublimemedium
Brand impersonation: Aramco
sublimemedium
Brand impersonation: AuthentiSign
sublimemedium
Brand impersonation: Canada Revenue Agency
sublimemedium
Brand impersonation: Enbridge
sublimemedium
Brand impersonation: Fake procurement/RFQ PDF from energy and industrial companies
sublimehigh
Brand impersonation: Interac
sublimemedium
Brand impersonation: Internal Revenue Service
sublimehigh
Brand impersonation: Mailgun
sublimemedium
Brand impersonation: McAfee
sublimemedium
Brand impersonation: MetaMask
sublimehigh
Brand impersonation: Microsoft logo or suspicious language with open redirect
sublimehigh
Brand Impersonation: Procore
sublimemedium
Brand impersonation: Purdue ePlanroom with suspicious links
sublimemedium
Brand impersonation: QuickBooks dispute notification
sublimehigh
Brand impersonation: QuickBooks notification from Intuit themed company name
sublimemedium
Brand impersonation: Robert Half
sublimemedium
Brand impersonation: SendGrid
sublimemedium
Brand impersonation: Social Security Administration
sublimemedium
Brand impersonation: Trust Wallet
sublimehigh
Brand impersonation: UK government Home Office
sublimehigh
Brand impersonation: Vanguard
sublimemedium
Brand impersonation: WeTransfer
sublimehigh
Business Email Compromise (BEC) attempt from unsolicited sender
sublimemedium
Business Email Compromise (BEC) attempt from untrusted sender
sublimemedium
Business Email Compromise (BEC) attempt from untrusted sender (French/Français)
sublimemedium
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
sublimemedium
Business Email Compromise (BEC) with request for mobile number
sublimemedium
Business Email Compromise: Request for mobile number via reply thread hijacking
sublimemedium
Callback phishing via Zelle Service Abuse
sublimemedium
Callback phishing: SumUp infrastructure abuse
sublimehigh
Canva infrastructure abuse
sublimemedium
COVID-19 themed fraud with sender and reply-to mismatch or compensation award
sublimemedium
Credential phishing: Generic document share with unicode and proceedural greeting template
sublimelow
Credential phishing: Generic document sharing
sublimemedium
Credential phishing: Tax form impersonation with payment request
sublimemedium
Display Name Emoji with Financial Symbols
sublimelow
DocuSign impersonation via CloudHQ links
sublimemedium
Employee impersonation with urgent request (untrusted sender)
sublimemedium
Employee impersonation: Payroll fraud
sublimehigh
Encrypted Microsoft Office files from untrusted sender
sublimemedium
Entra ID OAuth user_impersonation Scope for Unusual User and Client
elasticmedium
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender
sublimehigh
Fake message thread - Untrusted sender with a mismatched freemail reply-to address
sublimemedium
Fake request for tax preparation
sublimehigh
Fake thread with suspicious indicators
sublimemedium
Fake warning banner using confusable characters
sublimemedium
File sharing link with a suspicious subject
sublimemedium
Fraudulent e-commerce operators
sublimehigh
Fraudulent order confirmation/shipping notification from Chinese sender domain
sublimemedium
Free email provider sender with mismatched provider reply-to
sublimemedium
Generic service abuse from newly registered domain
sublimehigh
Headers: Fake in-reply-to with wildcard sender and missing thread context
sublimehigh
Headers: Invalid recipient domain with mismatched reply-to from new sender
sublimemedium
Headers: iOS/iPadOS mailer with invalid build number
sublimemedium
Headers: Outlook Express mailer
sublimemedium
Headers: System account impersonation with empty sender address
sublimemedium
Headers: X-Source-Auth mismatch with mismatched reply-to domain
sublimehigh
Honorific greeting BEC attempt with sender and reply-to mismatch
sublimelow
HR impersonation via e-sign agreement comment
sublimehigh
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
sublimemedium
HTML: Template placeholders or recipient email in element class attributes
sublimehigh
Impersonation: Australian Federal Police with criminal case language
sublimehigh
Impersonation: Employee name in subject with suspicious sender
sublimemedium
Impersonation: Employee using fabricated identity in initial contact
sublimehigh
Impersonation: Executive using numbered local part
sublimehigh
Impersonation: Fake product discount promotion
sublimemedium
Impersonation: Human Resources with link or attachment and engaging language
sublimemedium
Impersonation: Legal firm with copyright infringement notice
sublimemedium
Impersonation: Suspected supplier impersonation with suspicious content
sublimehigh
Investor solicitation with organization targeting
sublimemedium
Job scam (unsolicited sender)
sublimelow
Job scam with specific salary pattern
sublimelow
Link abuse: Self-service creation platform link with suspicious recipient behavior
sublimehigh
Link: Apple App Store malicious ad manager themed apps from free email provider
sublimemedium
Link: BEC with newly registered domains and financial keywords
sublimemedium
Link: Breely link masquerading as PDF
sublimehigh
Link: Cryptocurrency fraud with suspicious links
sublimehigh
Link: Display text matches subject line
sublimemedium
Link: File sharing impersonation with suspicious language and sending patterns
sublimemedium
Link: Generic financial document with proceedural timeline template
sublimemedium
Link: Google Drawings link from new sender
sublimemedium
Link: Hotel booking spoofed display URL
sublimemedium
Link: Invoice or receipt from freemail sender with customer service number
sublimelow
Link: Remittance payment request with timeline template
sublimemedium
Link: RFI document reference pattern in display text
sublimemedium
Link: Self-sent message with quarterly document review request
sublimecritical
Link: Self-sent PDF lure with subject correlation
sublimemedium
Link: Shortened URL with fragment matching subject
sublimemedium
Link: Tax document lure Portuguese/Spanish with suspicious domains
sublimemedium
Link: URL scheme obfuscation via split HTML anchors
sublimehigh
Link: WordPress login page with Blogspot Binance scam
sublimemedium
Lookalike sender domain (untrusted sender)
sublimehigh
Mass Outbound Group With Free File Host Domain
sublimemedium
Microsoft infrastructure abuse with suspicious patterns
sublimehigh
Mismatched links: Free file share with urgent language
sublimemedium
Newly registered sender or reply-to domain with newly registered linked domain
sublimemedium
Observed IOC: Malicious reply-to domains
sublimehigh
Observed IOC: Malicious reply-to email addresses
sublimehigh
Observed IOC: Malicious reply-to root domains
sublimehigh
Observed IOC: Malicious sender domains
sublimehigh
Observed IOC: Malicious sender email addresses
sublimehigh
Observed IOC: Malicious sender root domains
sublimehigh
Open redirect: Mailtrack Korea
sublimemedium
PayPal invoice abuse
sublimemedium
Potential prompt injection attack in body HTML
sublimehigh
Reconnaissance: Email address harvesting attempt
sublimemedium
Reconnaissance: Empty subject with mismatched reply-to from new sender
sublimemedium
Reconnaissance: Fake real estate inquiry with empty body
sublimemedium
Reconnaissance: Hotel booking reply-to redirect
sublimemedium
Reconnaissance: Short generic greeting message
sublimemedium
Recruitee Infrastructure Abuse
sublimehigh
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
sublimemedium
Russia return-path TLD (untrusted sender)
sublimelow
Scam soliciting employer review/rating
sublimelow
Scam: Fake estate sale offering welding equipment and tools
sublimehigh
Scam: Piano giveaway
sublimemedium
Sender: IP address in local part
sublimemedium
Service abuse: Adobe legitimate domain with document approval language
sublimemedium
Service abuse: Adobe Sign notification from an unsolicited reply-to address
sublimemedium
Service Abuse: Box file sharing with credential phishing intent
sublimemedium
Service abuse: Cisco secure email service with financial request
sublimehigh
Service abuse: Citrix ShareFile impersonation via Outlook plugin
sublimemedium
Service abuse: DocSend share from newly registered domain
sublimehigh
Service abuse: DocuSign notification with suspicious sender or document name
sublimemedium
Service abuse: Domains By Proxy sender
sublimemedium
Service abuse: Dropbox share from an unsolicited reply-to address
sublimemedium
Service abuse: Dropbox share from new domain
sublimemedium
Service abuse: Dropbox share with suspicious sender or document name
sublimemedium
Service Abuse: ExactTarget with suspicious sender indicators
sublimehigh
Service abuse: Formester with suspicious link behavior
sublimemedium
Service abuse: Google classroom solicitation
sublimemedium
Service abuse: Google Drive share from an unsolicited reply-to address
sublimemedium
Service abuse: Google Drive share from new reply-to domain
sublimemedium
Service Abuse: HelloSign share with suspicious sender or document name
sublimemedium
Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail
sublimehigh
Service abuse: Nylas tracking subdomain with suspicious content
sublimemedium
Service abuse: Payoneer callback scam
sublimemedium
Service abuse: QuickBooks notification from new domain
sublimemedium
Service abuse: QuickBooks notification with suspicious comments
sublimemedium
Service abuse: Recruiting with suspicious language patterns from legitimate platforms
sublimemedium
Service abuse: Roomsy with unrelated body content
sublimemedium
Service abuse: SendThisFile with credential theft and financial language
sublimemedium
Sharepoint link likely unrelated to sender
sublimemedium
Spam/fraud: Predatory journal/research paper request
sublimemedium
Stripe invoice abuse
sublimemedium
Suspected lookalike domain with suspicious language
sublimemedium
Suspicious display name: Gmail sender with engaging language
sublimelow
Suspicious DocuSign share from new domain
sublimehigh
Suspicious Links to Cloudflare R2 and Edge Services
sublimemedium