Preparation
Account Creation
AI-Assisted Capability Development
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
- Bypassing Network Segmentation
- Downgrading Microsoft Information Protection (MIP) labels
- Impairing a Security Agent
- Impairing an Anti-Virus Solution
- Modifying a Cloud-Based Firewall
- Modifying a Host-Based Firewall
- Modifying a Network-Based Firewall
- Unauthorized Manipulation of Anti-Virus Exclusions
- Uninstalling a Security Agent
- Uninstalling an Anti-Virus Solution
Credential Collection
Data Deobfuscation
Data Obfuscation
Data Staging
Delegated Preparation via Artificial Intelligence Agents
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Hardware-Based Remote Access (IP-KVM)
Impersonation
Increase Privileges
IT Ticketing System Exploration
Joiner
Media Capture via External Device
Mover
Network Scanning
Observational Information Gathering
On-Screen Data Collection
Oversight Circumvention and Control Degradation
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
Testing Security Controls
VPN Usage
- ID: PR022
- Created: 26th July 2024
- Updated: 07th July 2026
- MITRE ATT&CK®: T1566T1566.001T1566.002T1566.003T1566.004
- Contributor: The ITM Team
Social Engineering (Outbound)
A subject deceptively manipulates and/or persuades others in order to gain access to devices, systems or services that hold sensitive information, or to otherwise cause harm or undermine a target organization.
Subsections (4)
| ID | Name | Description |
|---|---|---|
| PR022.001 | Outbound Social Engineering via Email | A subject uses email to deceive, manipulate, or persuade another person into disclosing information, performing an action, approving a request, or enabling access that may support a later infringement. The subject may send messages from a corporate mailbox, personal account, spoofed address, compromised account, or third-party service in order to create a convincing pretext.
This behavior may involve impersonating a colleague, manager, vendor, customer, service provider, or trusted authority. The subject may use urgency, confidentiality, procedural familiarity, or organizational context to influence the recipient’s decision-making. The intended outcome may include obtaining credentials, internal process information, sensitive documents, access approvals, financial changes, or other information or actions that prepare the subject for further misuse. |
| PR022.004 | Outbound Social Engineering via In-Person Interaction | A subject uses direct face-to-face interaction to deceive, manipulate, pressure, or persuade another person into disclosing information, granting access, overlooking a control, or performing an action that may support a later infringement. This behavior may occur in offices, reception areas, secure facilities, shared workspaces, events, meetings, or other physical environments where the subject can influence another person through direct conversation.
This behavior may involve impersonation, confidence-building, exploitation of familiarity, false authority, urgency, distraction, or procedural manipulation. The subject may target reception staff, security personnel, colleagues, managers, contractors, vendors, or visitors depending on the access or information required. The intended outcome may include physical entry, badge-assisted access, disclosure of internal procedures, access approval, document retrieval, system use, or the weakening of a control through interpersonal influence. |
| PR022.003 | Outbound Social Engineering via SMS or Messaging | A subject uses SMS, mobile messaging, or collaboration messaging platforms to deceive, manipulate, or persuade another person into disclosing information, clicking a link, approving access, moving a conversation to another channel, or performing an action that may support a later infringement. This may involve corporate messaging tools, personal messaging applications, mobile numbers, or externally hosted communication services.
This behavior may exploit the informal, immediate, and trusted nature of messaging channels. The subject may rely on urgency, familiarity, limited message context, or out-of-band communication to reduce scrutiny and influence the recipient’s response. The intended outcome may include credential capture, information disclosure, access approval, link interaction, process bypass, or coordination of activity outside formal organizational workflows. |
| PR022.002 | Outbound Social Engineering via Voice | A subject uses voice communication to deceive, pressure, or persuade another person into disclosing information, changing a control, approving access, or taking an action that may support a later infringement. This may occur through corporate telephony, mobile calls, voice over IP services, conference platforms, helpdesk calls, or external calling infrastructure.
This behavior may involve impersonation, false authority, urgency, familiarity, or procedural manipulation. The subject may contact service desk personnel, administrators, reception staff, colleagues, vendors, or other individuals who can influence access, identity verification, physical entry, operational processes, or administrative controls. The intended outcome may include account recovery, password reset assistance, disclosure of internal procedures, access approval, security exception handling, or other enabling action. |
Preventions (1)
Detections (2)
MITRE ATT&CK® Mapping (5)
ATT&CK Enterprise Matrix Version 19.1