T1589 , Reconnaissance

Gather Victim Identity Information

Adversaries harvest personal data from LinkedIn, corporate sites, social media, data leaks, WHOIS records, and dark web markets to assemble complete victim profiles...

[email protected]

+1 (555) 0123

Password123!

123 Main St

VP of Engineering

DOB: 1985-03-14

👥 LINKEDIN Name, Job, Company

🏢 CORP WEBSITE Role, Bio, Email

🔐 DATA LEAKS Credentials, PII

🌐 WHOIS Domain, Registrar

🔒 DARK WEB Stolen Data, Dumps

// ASSEMBLED PROFILE

NAMEJohn A. Doe

EMAIL[email protected]

CREDHunter2!2024

PHONE+1-555-0147

ADDR123 Oak Ave, SF

TITLEVP Engineering

THREAT LEVEL ⚠ ASSEMBLING

LOWMEDHIGHCRITICAL

CORP WEBSITE

DATA LEAKS

DARK WEB

WHOIS

SOCIAL MEDIA

// Section 02

Why Gather Victim Identity Information Matters

Gather Victim Identity Information is the reconnaissance technique where adversaries collect personal details about individuals within a target organization , names, emails, credentials, phone numbers, security questions, MFA configurations, and even behavioral patterns. This technique (T1589 in the MITRE ATT&CK framework) sits within the Reconnaissance tactic and serves as the critical intelligence-gathering phase that powers social engineering attacks, spear-phishing campaigns, credential stuffing, business email compromise (BEC), and targeted impersonation. Unlike technical reconnaissance focused on infrastructure, identity reconnaissance exploits the human element , studying people, their roles, their relationships, and their digital footprints to craft highly convincing attacks that bypass technical controls by manipulating trust.

The danger of T1589 lies in its accessibility and scale. Open-source intelligence (OSINT) tools make it trivial to harvest employee data from LinkedIn, corporate websites, social media platforms, data broker services, and breached credential databases. Adversaries cross-reference information from multiple sources to build comprehensive victim dossiers that enable precision-targeted attacks. A threat actor who knows an employee's name, job title, manager's name, recent project, and personal interests can craft a phishing email that is virtually indistinguishable from legitimate internal communication, achieving success rates far above generic campaigns.

60%

Identity-based attacks of all
cyber incidents in 2024
(Source: SANS)

$4.9M

Global avg. data breach
cost in 2024 (+10%)
(Source: Huntress)

95%

Data breaches caused
by the human element
(Source: IBM/Huntress)

3,322

Data compromises in 2025
(+5 percentage points)
(Source: ITRC 2025)

16%

Breaches involving AI;
37% for AI phishing
(Source: IBM 2025)

MITRE ATT&CK T1589 CISA Threat Advisories FBI IC3 Report NIST SP 800-61r2 SANS: Identity-Based Attacks

// Section 03

Key Terms & Concepts

Simple Definition

Gather Victim Identity Information (T1589) is a MITRE ATT&CK reconnaissance technique where adversaries systematically collect personal data about individuals associated with a target organization. This includes employee names, email addresses, usernames, credentials, phone numbers, job titles, organizational roles, and security question responses. This intelligence fuels social engineering attacks, phishing campaigns, credential stuffing, and targeted impersonation. The technique encompasses three sub-techniques , T1589.001 (Credentials), T1589.002 (Email Addresses), and T1589.003 (Employee Names) , each targeting a specific category of personally identifiable information that attackers can leverage to compromise accounts, deceive employees, or impersonate trusted individuals within the organization.

Everyday Analogy

Imagine a con artist who wants to scam a company. Before making any contact, they spend weeks learning everything about the CEO , where they went to school, who their golf buddies are, what conferences they attend, what their assistant's name is, and even what their dog is called. Armed with all these personal details, they can craft an email that sounds exactly like someone the CEO trusts. That's what T1589 does at digital scale. Adversaries use LinkedIn to learn job titles and reporting structures, social media to discover personal interests and travel plans, data breach databases to find reused passwords, corporate websites to map organizational hierarchies, and WHOIS records to connect employees to domain registrations. The more information an attacker gathers, the more convincing their impersonation becomes , and the harder it is for victims to detect the deception.

// Section 04

Real-World Scenario

👤 NovaTech Solutions , A $3.2M Identity-Driven Attack

Target: NovaTech Solutions, a technology consulting firm with 800 employees.
Key Figure: Rachel Kim, Chief Information Security Officer (CISO), tasked with protecting the organization's digital assets and employee data.

⚠ Before: The Breach

NovaTech employees freely shared personal information on LinkedIn , job titles, departments, reporting chains, and even project details were publicly visible. Corporate directories were publicly accessible through the company website, listing full names, email addresses, phone numbers, and office locations. The company used predictable email formats ([email protected]), making it trivial for attackers to guess any employee's email address. A sophisticated threat actor spent 3 weeks profiling 50 key employees using OSINT , gathering names, roles, email addresses, personal interests, upcoming travel plans from social media posts, and even vacation schedules from out-of-office auto-replies. They cross-referenced breached credential databases and found that 12 employees had reused passwords across personal and work accounts. Armed with this comprehensive intelligence, the attackers launched a targeted spear-phishing campaign impersonating the CFO, crafting an urgent email about a time-sensitive acquisition deal that tricked an accounts payable clerk into wiring $3.2 million to an overseas account. By the time the fraud was discovered three days later during a routine reconciliation, the money had been dispersed through multiple shell companies and was unrecoverable.

✓ After: Rachel Kim's Response

Rachel implemented a comprehensive identity exposure reduction program across the organization. Corporate directory access was restricted to authenticated internal users only, and public-facing staff listings were removed from the website. She launched mandatory LinkedIn training for all employees, teaching them to limit profile visibility and avoid sharing sensitive organizational details. Email format conventions were randomized for external communications using an alias system, making it significantly harder for attackers to predict email addresses. The company deployed a robust security awareness program featuring quarterly phishing simulations with realistic, personalized phishing tests. Rachel implemented DMARC, DKIM, and SPF email authentication protocols to prevent domain spoofing and impersonation. Most critically, she established a mandatory out-of-band verification process for all wire transfers exceeding $10,000, requiring phone confirmation using pre-registered numbers , not contact information from the email requesting the transfer. Within six months, simulated phishing click rates dropped from 34% to 4%, and zero financial fraud incidents were reported in the following year.

// Section 05

Step-by-Step Defense Guide

Conduct an Identity Exposure Audit

Map your organization's digital footprint to understand what information is publicly accessible about your employees.

Search LinkedIn, corporate websites, and data broker services for employee names, titles, and contact details
Check breached credential databases (Have I Been Pwned, DeHashed) for employee email addresses and passwords
Review WHOIS records for domain registrations that may expose employee names and contact information

Secure Corporate Directory and Public-Facing Information

Restrict access to internal directories and minimize the personal information available on public-facing platforms.

Move corporate directories behind authentication walls; remove public staff listing pages from your website
Implement role-based access controls (RBAC) for internal directory services and limit search capabilities
Review and sanitize all public documents, press releases, and conference bios that reveal employee details

Implement Email Authentication (DMARC/DKIM/SPF)

Prevent adversaries from impersonating your domain and employees in phishing campaigns targeting your organization or partners.

Deploy DMARC in enforcement mode (p=reject) to block unauthorized use of your email domain
Configure DKIM signing for all outbound email to enable cryptographic verification of message authenticity
Implement SPF records with strict alignment to limit which mail servers can send on behalf of your domain

Train Employees on Personal Information Sharing

Build a security-aware culture where employees understand the risks of oversharing personal and professional details online.

Conduct mandatory training on LinkedIn privacy settings, social media risks, and digital footprint management
Establish clear policies on what information can be shared publicly about job roles, projects, and organizational structure
Run periodic social engineering assessments to identify employees who are most vulnerable to pretexting attacks

Deploy Social Engineering Detection

Implement technical controls and monitoring to detect and block social engineering attempts that leverage gathered identity information.

Deploy AI-powered email security gateways that analyze message content for impersonation and urgency-based manipulation tactics
Monitor for brand impersonation and domain spoofing using threat intelligence platforms and DMARC aggregate reports

Implement Out-of-Band Verification for Sensitive Transactions

Require secondary verification channels for high-risk actions to prevent fraud even when attackers successfully impersonate trusted individuals.

Mandate phone verification using pre-registered numbers (not from the requesting email) for wire transfers exceeding defined thresholds
Implement multi-party approval workflows for financial transactions, system changes, and data access requests
Create escalation procedures for urgent requests that bypass normal channels, requiring direct manager or security team confirmation

Establish a Continuous Monitoring Program

Proactively monitor for leaked credentials, new data exposures, and emerging threats targeting your organization's employees.

Subscribe to dark web monitoring services and credential breach notification systems to detect compromised employee accounts early
Conduct quarterly OSINT assessments to discover new public exposures of employee identity information
Maintain a threat intelligence feed focused on social engineering tactics, techniques, and procedures (TTPs) targeting your industry

// Section 06

Common Mistakes & Best Practices

COMMON MISTAKES

Leaving corporate directories publicly accessible , Employee names, emails, phone numbers, and job titles displayed on the company website provide adversaries with a complete organizational map for targeted attacks.
Ignoring LinkedIn as an intelligence source , Failing to train employees on LinkedIn privacy settings exposes organizational hierarchies, project details, reporting chains, and employee relationships.
Using predictable email formats , [email protected] conventions allow attackers to enumerate every employee email address and launch credential stuffing or phishing at scale.
No DMARC enforcement , Operating without DMARC in reject mode (or at all) allows adversaries to spoof your domain in phishing emails targeting employees, partners, and customers.
Relying solely on technical controls , Assuming that email filters and firewalls alone can prevent identity-based attacks while neglecting security awareness training and out-of-band verification procedures.

BEST PRACTICES

Conduct regular identity exposure assessments , Perform quarterly OSINT audits to discover and remediate publicly available employee information before adversaries exploit it.
Implement DMARC, DKIM, and SPF comprehensively , Deploy email authentication protocols in enforcement mode to prevent domain spoofing and make impersonation significantly harder.
Train employees on digital footprint hygiene , Provide ongoing education about social media risks, LinkedIn privacy settings, and the dangers of sharing organizational details online.
Enforce out-of-band verification for high-risk actions , Require secondary confirmation through pre-registered channels for financial transfers, credential changes, and sensitive data access.
Monitor dark web and breach databases continuously , Subscribe to threat intelligence services that alert you when employee credentials or personal data appear in data breaches or underground markets.

// Section 07

Red Team vs Blue Team View

RED TEAM

🔴 Attacker Perspective

For the red team, T1589 is the starting point for virtually every social engineering operation. The attacker's goal is to build the most comprehensive victim dossier possible with the least amount of effort. Red teamers begin with passive reconnaissance , harvesting employee names, titles, and email addresses from LinkedIn, the corporate website, and public directories. They then cross-reference this data with breached credential databases like Have I Been Pwned and DeHashed to find exposed passwords. Social media profiles on Twitter/X, Instagram, and Facebook reveal personal interests, travel schedules, family details, and even pet names commonly used as security question answers. WHOIS records connect employees to domain registrations, and dark web marketplaces provide access to stolen credentials, fullz (complete identity packages), and corporate data dumps. The red team uses this intelligence to craft hyper-personalized spear-phishing emails, pretexting scenarios for vishing (voice phishing) calls, and convincing BEC campaigns. The key metric is information density , how many unique data points can be collected per target employee to maximize the probability of a successful attack.

TYPICAL OSINT TOOLS:

Maltego theHarvester Sherlock SpiderFoot Recon-ng Holehe Amass

BLUE TEAM

🔵 Defender Perspective

For the blue team, defending against T1589 requires a dual approach: reducing the information available to attackers (attack surface reduction) and detecting when adversaries are actively gathering intelligence about your organization (threat detection). Blue teamers must continuously audit the organization's public-facing digital footprint , scanning LinkedIn for employee profiles that reveal too much detail, checking corporate websites for exposed directories, monitoring data broker sites that sell employee information, and reviewing WHOIS registrations that tie domain ownership to individual employees. Defenders should implement email authentication (DMARC/DKIM/SPF) to prevent domain spoofing and monitor DMARC reports for unauthorized send attempts. Technical controls include deploying AI-powered email security gateways that detect impersonation attempts, implementing conditional access policies that flag impossible-travel scenarios, and using UEBA (User and Entity Behavior Analytics) to identify anomalous access patterns that may indicate account compromise from credential stuffing. The blue team should also run regular internal social engineering assessments, conduct quarterly phishing simulations with realistic lures based on actual organizational intelligence, and maintain an employee security awareness program that keeps pace with evolving TTPs.

DEFENSE TOOLKIT:

DMARC Analyzer Have I Been Pwned ZeroFox Digital Shadows KnowBe4 Proofpoint TAP Microsoft Defender

// Section 08

Threat Hunter's Eye

🔎 Hunting for T1589 Indicators

While T1589 itself is a reconnaissance technique that occurs largely outside your network perimeter, threat hunters can detect indicators that an adversary has gathered or is actively gathering identity information about your organization. The key is looking for evidence of reconnaissance activity and the subsequent use of gathered intelligence in attack attempts.

        HUNTING QUERIES & INDICATORS:
      

HIGH DMARC forensic reports showing spoofed domain send attempts targeting your employees

HIGH Abnormal spikes in failed login attempts across multiple employee accounts (credential stuffing pattern)

HIGH Spear-phishing emails containing accurate internal terminology, project names, or org-chart details not commonly known

MED Unusual VPN or authentication activity from geolocations matching recent employee social media posts about travel

MED Employee credentials found in fresh data breach dumps correlated with your corporate email domain

MED Inbound emails spoofing executive identities that pass SPF but fail DKIM alignment checks

LOW Elevated HTTP requests to public corporate directory pages or employee listing endpoints from unknown IPs

LOW Web server logs showing systematic enumeration of employee pages (sequential user ID or name pattern scanning)

HUNTING TIP:

Set up automated alerts for DMARC aggregate and forensic reports. A sudden increase in senders failing DMARC checks for your domain , especially from email services commonly used for business communication , is a strong indicator that an adversary has harvested employee email addresses and is attempting to impersonate your organization. Cross-reference these alerts with LinkedIn changes (new employee profiles, role updates) and recent industry breach disclosures to identify the likely intelligence source.

// Section 09

Explore Sub-techniques

Deep Dive into T1589 Sub-techniques

T1589 encompasses three specialized sub-techniques, each targeting a specific category of identity information. Understanding these granular attack methods is essential for building a comprehensive defense strategy against identity-based reconnaissance and the social engineering attacks it enables.

🔐 T1589.001 , Credentials ✉ T1589.002 , Email Addresses 👤 T1589.003 , Employee Names