MITRE ATT&CK Technique
Reconnaissance T1591
Description

Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

Supported Platforms
PRE
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-10-02T16:27:02.339Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': "Adversaries may gather information about the victim's "
                'organization that can be used during targeting. Information '
                'about an organization may include a variety of details, '
                'including the names of divisions/departments, specifics of '
                'business operations, as well as the roles and '
                'responsibilities of key employees.\n'
                '\n'
                'Adversaries may gather this information in various ways, such '
                'as direct elicitation via [Phishing for '
                'Information](https://attack.mitre.org/techniques/T1598). '
                'Information about an organization may also be exposed to '
                'adversaries via online or other accessible data sets (ex: '
                '[Social Media](https://attack.mitre.org/techniques/T1593/001) '
                'or [Search Victim-Owned '
                'Websites](https://attack.mitre.org/techniques/T1594)).(Citation: '
                'ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) '
                'Gathering this information may reveal opportunities for other '
                'forms of reconnaissance (ex: [Phishing for '
                'Information](https://attack.mitre.org/techniques/T1598) or '
                '[Search Open '
                'Websites/Domains](https://attack.mitre.org/techniques/T1593)), '
                'establishing operational resources (ex: [Establish '
                'Accounts](https://attack.mitre.org/techniques/T1585) or '
                '[Compromise '
                'Accounts](https://attack.mitre.org/techniques/T1586)), and/or '
                'initial access (ex: '
                '[Phishing](https://attack.mitre.org/techniques/T1566) or '
                '[Trusted '
                'Relationship](https://attack.mitre.org/techniques/T1199)).',
 'external_references': [{'external_id': 'T1591',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1591'},
                         {'description': 'Seals, T. (2020, October 15). '
                                         'Broadvoice Leak Exposes 350M '
                                         'Records, Personal Voicemail '
                                         'Transcripts. Retrieved October 20, '
                                         '2020.',
                          'source_name': 'ThreatPost Broadvoice Leak',
                          'url': 'https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/'},
                         {'description': 'U.S. SEC. (n.d.). EDGAR - Search and '
                                         'Access. Retrieved November 17, 2024.',
                          'source_name': 'SEC EDGAR Search',
                          'url': 'https://www.sec.gov/edgar/search/'}],
 'id': 'attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'reconnaissance'}],
 'modified': '2025-10-24T17:49:06.846Z',
 'name': 'Gather Victim Org Information',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['PRE'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (6)
FIN7
High
Volt Typhoon
High
Lazarus Group
High
Kimsuky
High
Moonstone Sleet
High
View All 6 Actors
Back to TTPs
Dashboard About