ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV049
  • Created: 23rd April 2025
  • Updated: 23rd April 2025
  • Platforms: Windows, Linux, MacOS,
  • Contributor: The ITM Team

Managerial Approval

The process for having software installed on a corporate endpoint by IT should require approval from the employee's line manager to ensure the request is legitimate and appropriate.

Sections

ID Name Description
PR010Software or Access Request

A subject may make a request for software (such as an RDP, SSH or FTP client) or access (such as USB mass storage device access) to be installed or enabled on a target system, to facilitate the infringement.

PR027.002Impersonation via Collaboration and Communication Tools

The subject creates, modifies, or misuses digital identities within internal communication or collaboration environments—such as email, chat platforms (e.g., Slack, Microsoft Teams), or shared document spaces—to impersonate trusted individuals or roles. This tactic is used to gain access, issue instructions, extract sensitive data, or manipulate workflows under the guise of legitimacy.

 

Impersonation in this context can be achieved through:

  • Lookalike email addresses (e.g., spoofed domains or typo squatting).
  • Cloned display names in collaboration tools.
  • Shared calendar invites or chats initiated under false authority.
  • Use of compromised or unused accounts from real employees, contractors, or vendors.

 

The impersonation may be part of early-stage insider coordination, privilege escalation attempts, or subtle reconnaissance designed to map workflows, bypass controls, or test detection thresholds.

 

Example Scenarios:

  • A subject registers a secondary internal email alias (john.smyth@corp-secure.com) closely resembling a senior executive and uses it to request financial data from junior employees.
  • A subject joins a sensitive Slack channel using a display name that mimics another department member and quietly monitors ongoing discussions related to mergers and acquisitions activity.
  • A compromised service account is used by an insider to initiate SharePoint document shares with external parties, appearing as a legitimate internal action.
  • The subject impersonates an IT support contact via Teams or email to socially engineer MFA tokens or password resets.