← Back to Cybersecurity News Center
Severity
MEDIUM
CVSS
5.0
Priority
0.573
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
A coordinated fraud campaign attributed primarily to a Chinese threat actor called Ghost Stadium has deployed more than 300 cloned FIFA ticket portals targeting prospective 2026 World Cup attendees worldwide. The campaign harvests financial credentials and sells fraudulent tickets through typosquatting domains, paid Google Search ads, and social media channels including Facebook, Telegram, and WhatsApp. Organizations face reputational and financial risk if employees or customers interact with these sites; enterprise security teams should treat this as an active, ongoing campaign expected to intensify as the 2026 tournament approaches.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Probably, if you searched for FIFA World Cup 2026 tickets online or clicked a link in a message, you may have visited a fake site.
🔓
What got out
Suspected: payment card details entered on fake ticket sites
Suspected: personal information submitted during fake checkout
Suspected: login credentials created on fraudulent FIFA portals
✅
Do this now
1 Only buy tickets at the official FIFA website, type the address yourself, do not click ads or links. 2 If you entered your card details on any FIFA ticket site, call your bank now and ask them to watch for fraud. 3 If you created an account on a ticket site and used a password you use elsewhere, change that password on every site where you used it.
👀
Watch for these
Emails or texts saying your FIFA ticket order needs payment again.
Unexpected charges on your bank or card statement from unfamiliar names.
Messages on WhatsApp or Facebook offering FIFA tickets at a discount.
🌱
Should you worry?
If you did not enter any payment or personal information on a FIFA ticket site, you are likely fine. If you did enter your card details, contact your bank quickly, the sooner you report it, the easier it is to stop any fraud.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
MEDIUM
Medium severity — monitor and assess
Actor Attribution
HIGH
Ghost Stadium
TTP Sophistication
HIGH
7 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
General consumers; no specific software products, targets interact via fake FIFA web portals, Google Search ads, Facebook, Telegram, and WhatsApp
Are You Exposed?
⚠
Your industry is targeted by Ghost Stadium → Heightened risk
⚠
You use products/services from General consumers; no specific software products → Assess exposure
⚠
7 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Employees or customers who interact with these fake portals risk losing payment card data and personal credentials to fraud operators, creating direct financial harm and potential liability for the organization if corporate travel bookings are involved. The campaign's use of paid Google Search ads means employees searching for FIFA tickets through normal channels can land on malicious sites without obvious warning signs, increasing exposure across any workforce planning World Cup travel. Organizations with consumer-facing brands adjacent to the 2026 World Cup face secondary reputational risk if their brand is impersonated or if customers associate their name with the fraud.
You Are Affected If
Employees or customers are purchasing or planning to purchase 2026 FIFA World Cup tickets through web searches or social media channels
Your organization has not deployed DNS or web content filtering capable of blocking newly registered typosquatted domains
Security awareness training does not address sponsored search ad fraud or social media-delivered phishing links
Your organization has corporate travel or hospitality programs that involve World Cup event attendance
Brand monitoring is not in place to detect impersonation of your organization's name in FIFA-adjacent fraud campaigns
Board Talking Points
A large-scale fraud campaign operated by a Chinese threat group has deployed 300+ fake FIFA ticketing sites that are actively stealing payment credentials from prospective World Cup attendees, including potentially our employees and customers.
Security teams should deploy DNS blocking for known malicious domains and distribute targeted user awareness guidance to all staff within the next 72 hours, ahead of expected campaign escalation.
Without proactive blocking and awareness measures, employees who book World Cup travel through search or social media risk credential and financial theft, and the organization could face liability or reputational harm if corporate accounts are compromised.
PCI-DSS — campaign directly harvests payment card credentials through fake checkout portals; any employee or customer who entered card data on a fraudulent site may trigger PCI incident notification obligations
Technical Analysis
Ghost Stadium, a Chinese threat actor tracked by Group-IB, operates 300+ typosquatted and cloned domains impersonating official FIFA ticketing infrastructure.
Copycat actors amplify reach through paid Google Search advertisements and social media distribution on Facebook, Telegram, and WhatsApp.
The campaign relies entirely on social engineering and deceptive UI, no software CVEs are associated.
Applicable weaknesses are CWE-345 (Insufficient Verification of Data Authenticity), exploited via brand impersonation and fake portal UIs, and CWE-1021 (Improper Restriction of Rendered UI Layers), exploited through deceptive overlays and iframe-based credential harvesting. MITRE ATT&CK techniques include T1656 (Impersonation), T1583.001 (Acquire Infrastructure: Domains), T1608.005 (Stage Capabilities: Link Target), T1566.002 (Phishing: Spearphishing Link), T1598.003 (Phishing for Information: Spearphishing Link), T1204.001 (User Execution: Malicious Link), and T1071.001 (Application Layer Protocol: Web Protocols). No patch exists, this is a campaign-level threat requiring DNS/web filtering, user awareness, and brand monitoring controls. The campaign is active and assessed to intensify as the tournament approaches.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate to incident commander and legal counsel if proxy or DNS logs confirm any corporate-device user submitted payment card data or credentials to a Ghost Stadium portal, as this may trigger PCI-DSS breach notification obligations or state-level consumer data breach reporting requirements; also escalate if Ghost Stadium domains are found impersonating your organization's own brand or communications rather than FIFA directly.
1
Step 1: Containment. Push DNS/web filter block lists for known Ghost Stadium domains to all enterprise DNS resolvers and proxy layers immediately. Source blocklists from threat intelligence feeds and law enforcement advisories. Apply blocks organization-wide, including guest Wi-Fi and VPN exit nodes. Reference NIST SI-4 (System Monitoring) and CIS 4.4/4.5 (Firewall on Servers and End-User Devices).
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy: isolate affected systems and prevent further exposure while preserving evidence
NIST SI-4 (System Monitoring)
NIST SC-7 (Boundary Protection)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 4.5 (Implement and Manage a Firewall on End-User Devices)
Compensating Control
Export Group-IB Ghost Stadium IOC domains and FBI PSA domain list into a flat text file; load into Pi-hole (free, DNS-layer sink) using the 'adlist' feature for immediate enterprise-wide blocking without SIEM. For proxy-layer blocking without a commercial tool, use Squid's 'dstdomain' ACL directive with the same domain list. Confirm block propagation by running: `for domain in $(cat ghost_stadium_iocs.txt); do dig @<internal-resolver-IP> $domain +short; done` — all entries should return NXDOMAIN or sinkhole IP within 15 minutes of deployment.
Preserve Evidence
Before applying blocks, export the current DNS resolver query logs (Windows DNS Server: %SystemRoot%\System32\dns\dns.log; BIND: /var/log/named/queries.log; pfSense/OPNsense: /var/log/resolver.log) covering the prior 30 days to capture any pre-block resolutions of Ghost Stadium typosquatted domains such as fif4tickets[.]com variants. Also export proxy access logs (Squid: /var/log/squid/access.log; Zscaler or Bluecoat: export filtered by FIFA-themed URL patterns) before the block list is applied so that historical reach-back connections are preserved for victim identification.
2
Step 2: Detection. Query proxy and DNS logs for outbound connections to FIFA-themed domains registered after January 2025, particularly those with typosquatted patterns (e.g., fif4tickets[.]com, fifaworldcup2026[.]net variants). Flag traffic originating from Google Ads redirect chains to unknown FIFA-branded URLs. Monitor endpoint security logs for users who clicked links delivered via WhatsApp Web or Telegram Desktop clients. Reference NIST AU-6 (Audit Record Review, Analysis, and Reporting) and CIS 8.2 (Collect Audit Logs).
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: correlate indicators across log sources to scope victim population and confirm malicious activity
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-2 (Event Logging)
NIST AU-3 (Content of Audit Records)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without SIEM, run this PowerShell one-liner against Windows DNS debug logs to surface Ghost Stadium-pattern resolutions: `Select-String -Path 'C:\Windows\System32\dns\dns.log' -Pattern '(?i)(fifa|worldcup|ticket).*(2026|wc26|cup26)' | Where-Object { $_ -match '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' } | Export-Csv ghost_stadium_dns_hits.csv`. For browser-delivered links from WhatsApp Web or Telegram Desktop, check Windows Security Event Log Event ID 4688 (Process Creation) for chrome.exe or msedge.exe with command-line arguments containing the suspicious domains: `Get-WinEvent -FilterHashtable @{LogName='Security';Id=4688} | Where-Object { $_.Message -match 'fif.*ticket|worldcup2026' }`. On Linux endpoints, grep Chrome history: `sqlite3 ~/.config/google-chrome/Default/History 'SELECT url, last_visit_time FROM urls WHERE url LIKE "%fifa%" OR url LIKE "%worldcup%"'`.
Preserve Evidence
Capture browser history artifacts before any user remediation: Chrome history at %LOCALAPPDATA%\Google\Chrome\User Data\Default\History (SQLite), Firefox places.sqlite at %APPDATA%\Mozilla\Firefox\Profiles\*.default\places.sqlite, and Edge history at %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\History. Extract Telegram Desktop cache from %APPDATA%\Telegram Desktop\tdata\ and WhatsApp Web session artifacts from the browser profile's Local Storage (e.g., %LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Storage\leveldb\) to identify which users received and clicked Ghost Stadium phishing links via these messaging clients. Preserve Windows Security Event Log Event ID 4688 records showing browser process launches with suspicious URL arguments.
3
Step 3: Eradication. There is no patch; eradication is control-layer hardening. Update DNS resolver block lists and web content filtering categories to include newly registered FIFA-themed domains. Submit identified malicious URLs to Google Safe Browsing and platform abuse teams (Meta, Telegram) for takedown. Coordinate with brand protection or threat intelligence vendors to monitor for new domain registrations impersonating your organization's FIFA-adjacent communications. Reference NIST SC-7 (Boundary Protection) and D3FEND D3-PBWSAM (Proxy-based Web Server Access Mediation).
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication: remove threat artifacts from the environment and harden controls to prevent reinfection; note that for fraud campaigns with no host-resident malware, eradication is achieved through control-layer blocking and upstream takedown
NIST SC-7 (Boundary Protection)
NIST SI-3 (Malicious Code Protection)
NIST CM-7 (Least Functionality)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 4.2 (Establish and Maintain a Secure Configuration Process for Network Infrastructure)
Compensating Control
Use the free urlscan.io API to automate submission of newly identified Ghost Stadium URLs for public scanning and Google Safe Browsing flagging: `curl -X POST 'https://urlscan.io/api/v1/scan/' -H 'API-Key: <your-free-key>' -H 'Content-Type: application/json' -d '{"url": "http://fif4tickets[.]com", "visibility": "public"}'`. For continuous new-domain detection without a commercial brand protection vendor, set up a free account on WhoisFreaks or use the Python `dnstwist` tool (`pip install dnstwist; dnstwist --registered fifa2026tickets.com`) run as a nightly cron job to surface newly registered typosquats before users encounter them. Submit abuse reports directly to Google Ads at g.co/adsafety and to Meta at facebook.com/help/reportlinks.
Preserve Evidence
Before submitting takedown requests, capture full screenshots and HTTP archive (HAR) files of each Ghost Stadium portal using browser developer tools (F12 > Network tab > Export HAR) to document the fraudulent payment flows and credential harvesting mechanisms — this evidence supports abuse reports and any downstream law enforcement referrals. Record WHOIS registration data for each Ghost Stadium domain using `whois <domain> > domain_whois_$(date +%Y%m%d).txt` before takedown actions alter registration records. Preserve any Google Ads creative IDs and advertiser IDs visible in the ad URL parameters (e.g., gclid= values in proxy logs) as these are actionable for Google's abuse team.
4
Step 4: Recovery. Verify block list deployment across all DNS resolvers and proxies; confirm no residual outbound connections to flagged domains in the 24 hours following block application. For any confirmed user interactions with a malicious portal, initiate credential reset workflows and review associated financial accounts for unauthorized transactions. Reference NIST IR-4 (Incident Handling) and CIS 6.2 (Establish an Access Revoking Process).
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery: restore normal operations, verify control effectiveness, and confirm no residual threat activity before declaring the incident closed
NIST IR-4 (Incident Handling)
NIST AC-2 (Account Management)
NIST AC-17 (Remote Access)
CIS 6.2 (Establish an Access Revoking Process)
CIS 5.2 (Use Unique Passwords)
Compensating Control
Verify block list completeness without SIEM by running a 24-hour passive DNS query test: schedule a cron job every 30 minutes that attempts resolution of 5 known-bad Ghost Stadium domains against each internal resolver and logs the result to a CSV — any non-NXDOMAIN response indicates a resolver that missed the block push. For credential reset verification on affected users, use the free HaveIBeenPwned API to check whether the user's corporate email appears in breach datasets that Ghost Stadium may have cross-referenced: `curl 'https://haveibeenpwned.com/api/v3/breachedaccount/<email>' -H 'hibp-api-key: <key>'`. Document each affected user's confirmed interaction timestamp from proxy logs and open a 90-day monitoring window on their account for anomalous authentication events (Windows Security Event ID 4625 for failed logons, 4648 for explicit credential use).
Preserve Evidence
For each confirmed victim user, preserve the proxy or DNS log entry showing the exact timestamp and destination URL of the Ghost Stadium portal interaction, the source IP, and the authenticated username — this establishes the breach window for any regulatory notification clock. If the user entered payment card data on a Ghost Stadium portal, document this as a potential PCI-DSS reportable event; capture the HAR file showing the form submission endpoint. Check for any OAuth token grants or SSO session artifacts if the user navigated from a corporate device through a Google Ads redirect, as some Ghost Stadium portals have been observed attempting OAuth phishing alongside credential harvesting.
5
Step 5: Post-Incident. Conduct a user awareness campaign specific to FIFA 2026 fraud: distribute clear guidance on verifying the official FIFA ticketing URL, avoiding sponsored search results for event ticketing, and reporting suspicious communications. Review whether current security awareness training covers social engineering via paid ads and messaging apps, a gap this campaign commonly exploits. Reference NIST AT-2 (Literacy Training and Awareness) and CIS 7.1 (Establish and Maintain a Vulnerability Management Process) for process improvements.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: document lessons learned, update detection and awareness capabilities, and share threat intelligence to improve organizational resilience against recurring campaign patterns
NIST AT-2 (Literacy Training and Awareness)
NIST IR-3 (Incident Response Testing)
NIST PM-16 (Threat Awareness Program)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Without a commercial awareness platform, create a one-page phishing bulletin using CISA's free Stop Ransomware and phishing awareness templates (available at cisa.gov/resources-tools/resources) customized to include: the official FIFA ticketing URL (fifa.com/tickets only), a visual example of a Ghost Stadium typosquatted domain versus the legitimate URL, and a screenshot-based guide to identifying Google Ads 'Sponsored' labels in search results. Distribute via internal email and pin to Slack/Teams channels. For ongoing detection improvement, publish the Ghost Stadium domain patterns as a free Sigma rule (using the Sigma community repo at github.com/SigmaHQ/sigma) targeting proxy logs, and test detection coverage using atomic-red-team or manual simulation of a user browsing to a sinkholed Ghost Stadium domain.
Preserve Evidence
Compile a post-incident metrics report documenting: total number of users who resolved or accessed Ghost Stadium domains (from DNS/proxy logs), number of confirmed credential submissions (from portal interaction evidence), number of domains blocked, and time-to-block from first observed IOC — these metrics feed directly into the lessons-learned record required by NIST 800-61r3 §4 and demonstrate control effectiveness to leadership. Archive all Group-IB IOC feeds, FBI PSA indicators, and internal detection queries used during this incident in a case management record (even a shared folder with dated files) so that when Ghost Stadium or copycat actors resurface with new domains ahead of the July 2026 tournament, the response team has a ready baseline to diff against.
Recovery Guidance
After block list deployment, run continuous DNS resolution checks against all known Ghost Stadium indicators for a minimum of 72 hours to confirm no resolver gaps, paying particular attention to guest Wi-Fi segments and split-tunnel VPN clients that may bypass corporate DNS. Monitor Windows Security Event IDs 4625 and 4648 for confirmed victim user accounts for 90 days, as Ghost Stadium harvested credentials may be used in delayed account takeover attempts long after the initial portal interaction. Given that Ghost Stadium is actively registering new domains and copycat actors are replicating the campaign, maintain weekly dnstwist sweeps on FIFA-adjacent keyword patterns through at least August 2026 to catch net-new infrastructure before employees encounter it.
Key Forensic Artifacts
DNS resolver query logs (Windows DNS debug log at %SystemRoot%\System32\dns\dns.log or BIND query log at /var/log/named/queries.log) filtered for FIFA-themed subdomain patterns registered after January 2025 — these show which internal hosts resolved Ghost Stadium typosquatted domains and establish the victim population scope
Proxy access logs (Squid /var/log/squid/access.log or equivalent) filtered for HTTP POST requests to FIFA-branded domains not matching the canonical fifa.com origin — POST requests indicate credential or payment data submission to a Ghost Stadium harvesting endpoint
Browser history SQLite databases (Chrome: %LOCALAPPDATA%\Google\Chrome\User Data\Default\History; Firefox: %APPDATA%\Mozilla\Firefox\Profiles\*.default\places.sqlite) on endpoints belonging to flagged users, queried for visit timestamps to typosquatted FIFA domains sourced via Google Ads redirect chains (identifiable by gclid= URL parameters)
WhatsApp Web Local Storage artifacts in browser profile (%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Storage\leveldb\) and Telegram Desktop session cache (%APPDATA%\Telegram Desktop\tdata\) to identify users who received and acted on Ghost Stadium links distributed through these messaging channels — the primary social distribution vectors for this campaign
Google Ads redirect chain URLs preserved in proxy logs, specifically entries where the referrer header is googleadservices.com or doubleclick.net resolving to a FIFA-themed destination domain — these capture the paid search vector Ghost Stadium used to surface fraudulent portals above organic FIFA results and are actionable evidence for Google Ads abuse reporting
Detection Guidance
Primary detection surface is DNS and proxy logs.
Query for outbound requests to domains matching FIFA-themed naming patterns registered within the past 12 months, focus on typosquats of 'fifa.com', 'fifatickets', 'worldcup2026', and related strings.
Flag any domain with a newly registered certificate (check CT logs) and FIFA-adjacent branding.
Secondary signal: endpoint browser history or proxy logs showing referral chains from Google Ads (ad click redirects) to unknown FIFA-branded destinations. Tertiary signal: user-reported suspicious messages received via WhatsApp Web or Telegram Desktop containing FIFA ticketing links. IOC enrichment: cross-reference outbound domains against threat intelligence feeds and law enforcement advisories on this campaign. Behavioral indicator: users submitting payment card data to non-fifa.com domains after clicking search ads. SIEM correlation rule suggestion, alert on: (DNS query contains 'fifa' OR 'worldcup2026') AND (domain registered within last 365 days) AND (domain NOT in allowlist of official FIFA properties). Reference NIST AU-6 (Audit Record Review) and CIS 8.2 (Collect Audit Logs).
Indicators of Compromise (3)
Export as
Splunk SPL
KQL
Elastic
Copy All (3)
1 domain
2 urls
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
2 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Ghost Stadium and Copycat Actors Deploy 300+ Fake FIFA Sites Ahead of 2026 World
let malicious_urls = dynamic(["Google Search paid ad redirect chains to non-fifa.com destinations with FIFA branding", "FIFA-branded links distributed via Facebook, Telegram, and WhatsApp"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (3)
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "FIFA-themed typosquatted domains (300+ identified by Group-IB)",
"source": "SCC Threat Intel",
"description": "Ghost Stadium infrastructure \u2014 exact domain list published by Group-IB; cross-reference their threat intelligence report for the full enumeration",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-27T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["FIFA-themed typosquatted domains (300+ identified by Group-IB)"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1656
T1583.001
T1071.001
T1204.001
T1608.005
T1566.002
+1
AT-2
SC-7
SI-3
SI-4
SI-8
SI-7
164.312(d)
164.308(a)(5)(i)
MITRE ATT&CK Mapping
T1656
Impersonation
defense-evasion
Free Template
AI Security Policy Template
Professional policy template for AI governance teams. $15.
Guidance Disclaimer
