T1585.001

Social Media Accounts

Adversaries create and cultivate fake or impersonation social media accounts to build credible personas for use in targeting operations. These accounts may impersonate real employees, HR staff, recruiters, or industry contacts to establish trust before launching spearphishing, credential harvesting, or intelligence-gathering campaigns. Detection focuses on downstream observables: inbound social engineering emails referencing social media profiles, employees receiving suspicious connection or recruitment messages, and threat intelligence correlation identifying accounts impersonating your organization's staff. Real-world examples include HEXANE creating fake LinkedIn HR accounts offering jobs, CURIUM building networks of fictitious profiles posing as attractive contacts, Scattered Spider creating matching fake social media accounts to support identity theft, and EXOTIC LILY mimicking target company employees to gain trust before delivering malware.

Microsoft Sentinel / Defender

kusto

let SocialMediaDomains = dynamic([
    "linkedin.com", "facebook.com", "twitter.com", "x.com",
    "instagram.com", "telegram.org", "t.me", "wa.me",
    "discord.com", "discord.gg", "linktr.ee"
]);
let SocialEngineeringKeywords = dynamic([
    "job opportunity", "career opportunity", "employment offer",
    "found your profile", "connect with you", "exclusive opportunity",
    "remote position", "we are hiring", "job opening", "open role",
    "recruiter", "talent acquisition", "LinkedIn connection",
    "exciting opportunity", "I came across your profile",
    "work from home", "contractor position", "freelance project"
]);
let HighValueJobTitles = dynamic([
    "CEO", "CFO", "CISO", "CTO", "COO", "VP", "Vice President",
    "Director", "Manager", "Engineer", "Analyst", "Administrator",
    "Developer", "Architect"
]);
// Step 1: Find inbound emails with social engineering subject lines
let SuspiciousEmails = EmailEvents
| where Timestamp > ago(24h)
| where EmailDirection == "Inbound"
| where DeliveryAction != "Blocked"
| where Subject has_any (SocialEngineeringKeywords)
| project Timestamp, NetworkMessageId, SenderFromAddress, SenderFromDomain,
          RecipientEmailAddress, Subject, DeliveryLocation, DeliveryAction;
// Step 2: Join with URL info to find social media links in those emails
let EmailsWithSocialLinks = SuspiciousEmails
| join kind=inner (
    EmailUrlInfo
    | where Url has_any (SocialMediaDomains)
    | project NetworkMessageId, SocialMediaUrl=Url, UrlDomain=UrlDomain
) on NetworkMessageId;
// Step 3: Enrich with recipient identity for high-value targeting detection
EmailsWithSocialLinks
| join kind=leftouter (
    IdentityInfo
    | where JobTitle has_any (HighValueJobTitles)
    | project AccountUpn, TargetJobTitle=JobTitle, Department
) on $left.RecipientEmailAddress == $right.AccountUpn
| extend IsHighValueTarget = isnotempty(TargetJobTitle)
| extend ExternalSender = SenderFromDomain !endswith ".internal" and SenderFromDomain !in~ ("yourcompany.com")
| project Timestamp, NetworkMessageId, SenderFromAddress, SenderFromDomain,
          RecipientEmailAddress, TargetJobTitle, Department, Subject,
          SocialMediaUrl, UrlDomain, DeliveryLocation, IsHighValueTarget
| sort by IsHighValueTarget desc, Timestamp desc

medium severity medium confidence

Data Sources

Application Log: Application Log Content Network Traffic: Network Traffic Content Microsoft Defender for Office 365 Email: Email Message

Required Tables

EmailEvents EmailUrlInfo IdentityInfo

False Positives

Legitimate external recruiters using LinkedIn InMail or email to contact employees about real job opportunities
HR teams running internal talent acquisition campaigns referencing social media profiles
Marketing or PR staff receiving social media collaboration or partnership outreach
Security awareness training simulations sending test phishing emails with social media themes
Industry event organizers sending networking invitations with social media links

Splunk

spl

index=email (sourcetype="cisco:esa:syslog" OR sourcetype="proofpoint:mail" OR sourcetype="mimecast:email" OR sourcetype="symantec:ep:mail" OR sourcetype="o365:management:activity")
| search direction="inbound" OR direction="Inbound" OR recipient_domain="yourcompany.com"
| eval subject_lower=lower(coalesce(subject, Subject, ""))
| eval body_lower=lower(coalesce(body, message_body, ""))
| eval urls_lower=lower(coalesce(urls, url, ""))
| eval social_eng_subject=if(
    match(subject_lower, "(job opportunity|career opportunity|employment offer|found your profile|connect with you|exclusive opportunity|remote position|we.?re hiring|job opening|recruiter|talent acquisition|linkedin connection|exciting opportunity|came across your profile|work from home|contractor position|freelance project)"),
    1, 0)
| eval social_media_link=if(
    match(urls_lower, "(linkedin\.com|facebook\.com|twitter\.com|x\.com|instagram\.com|t\.me|telegram\.org|wa\.me|discord\.com|linktr\.ee)"),
    1, 0)
| eval body_social_eng=if(
    match(body_lower, "(job opportunity|career opportunity|employment offer|found your profile|connect with you|exclusive opportunity|remote position|we.?re hiring|recruiter|talent acquisition|i saw your profile|your background|your experience|our team is looking)"),
    1, 0)
| eval risk_score=social_eng_subject + social_media_link + body_social_eng
| where risk_score >= 1
| eval risk_label=case(
    risk_score >= 3, "HIGH",
    risk_score == 2, "MEDIUM",
    risk_score == 1, "LOW"
)
| eval sender_domain=lower(replace(coalesce(sender, from_address, ""), ".*@", ""))
| eval is_external=if(NOT match(sender_domain, "yourcompany\.com"), 1, 0)
| where is_external=1
| table _time, sender, recipient, subject, urls_lower, social_eng_subject, social_media_link, body_social_eng, risk_score, risk_label
| sort - risk_score, - _time

medium severity medium confidence

Data Sources

Application Log: Application Log Content Email: Email Message Network Traffic: Network Traffic Content

Required Sourcetypes

cisco:esa:syslog proofpoint:mail mimecast:email o365:management:activity

False Positives

Legitimate external recruiters contacting employees via email with social media profile links
Business development or partnership outreach containing social media handles
Industry conference or webinar invitations with social media event links
Vendor onboarding communications referencing LinkedIn company pages
Security awareness training campaigns simulating recruitment-themed phishing

Elastic Security (EQL)

eql

sequence by process.entity_id
[
  network where event.category == "network" and
  (
    dns.question.name like~ "*linkedin.com" or
    dns.question.name like~ "*facebook.com" or
    dns.question.name like~ "*twitter.com" or
    dns.question.name like~ "*x.com" or
    dns.question.name like~ "*instagram.com" or
    dns.question.name like~ "*telegram.org" or
    dns.question.name like~ "*t.me" or
    dns.question.name like~ "*discord.com" or
    dns.question.name like~ "*linktr.ee"
  )
]
with runs=1

// Alternatively, for email-based detection using process/file events:
// Search for email client processes accessing social media URLs in email body files

// Primary: Email log-based detection
any where event.dataset == "o365.audit" or event.dataset == "google_workspace.gmail"
| where event.action in ("MessageReceived", "message_received")
| where (
    (
      (destination like~ "*job opportunity*" or destination like~ "*career opportunity*"
       or destination like~ "*found your profile*" or destination like~ "*connect with you*"
       or destination like~ "*exclusive opportunity*" or destination like~ "*we are hiring*"
       or destination like~ "*recruiter*" or destination like~ "*talent acquisition*")
    )
    and
    (
      (url.original like~ "*linkedin.com*" or url.original like~ "*facebook.com*"
       or url.original like~ "*twitter.com*" or url.original like~ "*instagram.com*"
       or url.original like~ "*telegram.org*" or url.original like~ "*discord.com*")
    )
  )

medium severity medium confidence

Data Sources

Microsoft 365 Audit Logs Google Workspace Gmail Logs Network DNS Logs Endpoint Logs via Elastic Agent

Required Tables

logs-o365.audit-* logs-google_workspace.gmail-* logs-network.dns-* logs-endpoint.events.network-*

False Positives

Legitimate HR or recruiting teams sending job postings to candidates
Internal talent acquisition emails referencing LinkedIn profiles for open roles
Newsletter or marketing emails containing social media follow links
Sales outreach from known vendors using social proof links

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  "sender" AS sender_address,
  "recipient" AS recipient_address,
  "subject" AS email_subject,
  "url" AS url_in_email,
  magnitude
FROM events
WHERE
  LOGSOURCETYPEID IN (
    -- Proofpoint, Mimecast, Microsoft Exchange, O365
    -- Use actual logsource type IDs from your QRadar deployment
    -- Common: 352 (Microsoft Exchange), 400 (Proofpoint), 433 (Mimecast)
    352, 400, 433, 465
  )
  AND CATEGORYNAME(category) LIKE '%Mail%'
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    LOWER("subject") ILIKE '%job opportunity%'
    OR LOWER("subject") ILIKE '%career opportunity%'
    OR LOWER("subject") ILIKE '%employment offer%'
    OR LOWER("subject") ILIKE '%found your profile%'
    OR LOWER("subject") ILIKE '%connect with you%'
    OR LOWER("subject") ILIKE '%exclusive opportunity%'
    OR LOWER("subject") ILIKE '%remote position%'
    OR LOWER("subject") ILIKE '%we are hiring%'
    OR LOWER("subject") ILIKE '%recruiter%'
    OR LOWER("subject") ILIKE '%talent acquisition%'
    OR LOWER("subject") ILIKE '%exciting opportunity%'
    OR LOWER("subject") ILIKE '%work from home%'
    OR LOWER("subject") ILIKE '%freelance project%'
  )
  AND (
    LOWER("url") ILIKE '%linkedin.com%'
    OR LOWER("url") ILIKE '%facebook.com%'
    OR LOWER("url") ILIKE '%twitter.com%'
    OR LOWER("url") ILIKE '%x.com%'
    OR LOWER("url") ILIKE '%instagram.com%'
    OR LOWER("url") ILIKE '%telegram.org%'
    OR LOWER("url") ILIKE '%t.me%'
    OR LOWER("url") ILIKE '%discord.com%'
    OR LOWER("url") ILIKE '%linktr.ee%'
  )
  AND LOWER("sender") NOT ILIKE '%yourcompany.com%'
ORDER BY magnitude DESC, starttime DESC
LIMIT 500

medium severity medium confidence

Data Sources

QRadar Email Log Sources (Proofpoint, Mimecast, Microsoft Exchange) QRadar Network Activity

Required Tables

events

False Positives

Legitimate recruitment agencies sending job offers containing LinkedIn profile links
Internal HR department emails forwarded through external mail relay
Marketing automation tools sending newsletters with social media links
Vendor outreach emails from sales teams referencing company social profiles

Sumo Logic CSE

sql

_sourceCategory=email/* OR _sourceCategory=mail/*
| where !(isNull(_raw))
// Normalize fields
| parse field=_raw "\"subject\":\"*\"" as subject nodrop
| parse field=_raw "\"from\":\"*\"" as sender nodrop
| parse field=_raw "\"to\":\"*\"" as recipient nodrop
| parse field=_raw "\"urls\":\"*\"" as urls nodrop
// Lowercase for matching
| toLowerCase(subject) as subject_lower
| toLowerCase(urls) as urls_lower
| toLowerCase(sender) as sender_lower
// Social engineering keyword detection in subject
| if(subject_lower matches "*(job opportunity|career opportunity|employment offer|found your profile|connect with you|exclusive opportunity|remote position|we are hiring|we're hiring|job opening|open role|recruiter|talent acquisition|linkedin connection|exciting opportunity|came across your profile|work from home|contractor position|freelance project)*", 1, 0) as social_eng_subject
// Social media URL detection
| if(urls_lower matches "*(linkedin.com|facebook.com|twitter.com|x.com|instagram.com|telegram.org|t.me|wa.me|discord.com|discord.gg|linktr.ee)*", 1, 0) as social_media_link
// External sender check
| if(!(sender_lower matches "*yourcompany.com*"), 1, 0) as is_external
// Risk scoring
| toInt(social_eng_subject) + toInt(social_media_link) as risk_score
| where risk_score >= 1 and is_external == 1
| if(risk_score >= 2, "HIGH", if(risk_score == 1, "MEDIUM", "LOW")) as risk_label
| fields _messageTime, sender, recipient, subject, urls_lower, social_eng_subject, social_media_link, risk_score, risk_label
| sort by risk_score desc, _messageTime desc

medium severity medium confidence

Data Sources

Email Gateway Logs (Proofpoint, Mimecast, O365) Mail Transfer Agent Syslogs

Required Tables

_sourceCategory=email/* _sourceCategory=mail/*

False Positives

Legitimate job boards or recruiting platforms sending outreach emails
Internal talent acquisition teams using external email services
Marketing emails from industry groups referencing social media channels
Automated HR system notifications containing LinkedIn integration links

Google Chronicle / SecOps

yaral

rule t1585_001_social_media_persona_email_lure {
  meta:
    author = "Detection Engineering"
    description = "Detects inbound emails with social engineering job lure content and social media links, indicative of T1585.001 fake persona pre-attack operations"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1585.001"
    severity = "MEDIUM"
    priority = "MEDIUM"
    created = "2025-01-01"
    version = "1.0"

  events:
    $email.metadata.event_type = "EMAIL_TRANSACTION"
    $email.network.email.is_inbound = true
    (
      re.regex($email.network.email.subject, `(?i)(job opportunity|career opportunity|employment offer|found your profile|connect with you|exclusive opportunity|remote position|we.?re hiring|job opening|open role|recruiter|talent acquisition|linkedin connection|exciting opportunity|came across your profile|work from home|contractor position|freelance project)`)
      or
      re.regex($email.network.email.full_html, `(?i)(job opportunity|career opportunity|employment offer|found your profile|connect with you|i saw your profile|your background|our team is looking|exclusive opportunity|recruiter|talent acquisition)`)
    )
    (
      re.regex($email.network.http.referral_url, `(?i)(linkedin\.com|facebook\.com|twitter\.com|x\.com|instagram\.com|telegram\.org|t\.me|wa\.me|discord\.com|linktr\.ee)`)
      or
      re.regex($email.target.url, `(?i)(linkedin\.com|facebook\.com|twitter\.com|x\.com|instagram\.com|telegram\.org|t\.me|discord\.com|linktr\.ee)`)
    )
    not re.regex($email.network.email.from, `(?i)@yourcompany\.com$`)

  condition:
    $email
}

medium severity medium confidence

Data Sources

Google Chronicle UDM Email Security Gateway Feeds O365 / Google Workspace Chronicle Ingestion

Required Tables

UDM EMAIL_TRANSACTION events

False Positives

Legitimate recruiters from third-party staffing agencies
Automated job alert services (LinkedIn Jobs, Indeed) sending match emails
Marketing platforms sending social media engagement prompts
Internal HR newsletters containing social media links for company profiles

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale - Falcon for Email or Email Security Integration
// Detects social engineering emails with social media links for T1585.001

#event_simpleName = "EmailMessageEvent"
| in(direction, values=["inbound", "Inbound"])
// Match social engineering keywords in subject
| regex(field=subject, regex="(?i)(job opportunity|career opportunity|employment offer|found your profile|connect with you|exclusive opportunity|remote position|we.?re hiring|job opening|open role|recruiter|talent acquisition|linkedin connection|exciting opportunity|came across your profile|work from home|contractor position|freelance project)", strict=false)
// Match social media URLs
| regex(field=urls, regex="(?i)(linkedin\.com|facebook\.com|twitter\.com|x\.com|instagram\.com|telegram\.org|t\.me|wa\.me|discord\.com|discord\.gg|linktr\.ee)", strict=false)
// Exclude internal senders
| not regex(field=senderDomain, regex="(?i)yourcompany\.com")
// Risk scoring
| eval(social_eng_subject = if(match(subject, "(?i)(job opportunity|career opportunity|recruiter|talent acquisition|found your profile|we.?re hiring|exclusive opportunity)"), 1, 0))
| eval(social_media_link = if(match(urls, "(?i)(linkedin\.com|facebook\.com|twitter\.com|instagram\.com|telegram\.org|t\.me|discord\.com)"), 1, 0))
| eval(risk_score = social_eng_subject + social_media_link)
| eval(risk_label = if(risk_score >= 2, "HIGH", if(risk_score == 1, "MEDIUM", "LOW")))
| where risk_score >= 1
| table([timestamp, senderAddress, senderDomain, recipientAddress, subject, urls, risk_score, risk_label])
| sort(timestamp, order=desc)

medium severity medium confidence

Data Sources

Falcon for Email CrowdStrike LogScale Email Security Integration Proofpoint / Mimecast feeds via LogScale Collector

Required Tables

EmailMessageEvent

False Positives

Legitimate staffing agency outreach emails containing LinkedIn profile links
Company-sponsored job fair or recruiting event notifications
Industry conference networking emails referencing social channels
Automated HR platform emails with social media sign-in links

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1585.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Social Media Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections