Detect Social Media Accounts in Google Chronicle
Adversaries create and cultivate fake or impersonation social media accounts to build credible personas for use in targeting operations. These accounts may impersonate real employees, HR staff, recruiters, or industry contacts to establish trust before launching spearphishing, credential harvesting, or intelligence-gathering campaigns. Detection focuses on downstream observables: inbound social engineering emails referencing social media profiles, employees receiving suspicious connection or recruitment messages, and threat intelligence correlation identifying accounts impersonating your organization's staff. Real-world examples include HEXANE creating fake LinkedIn HR accounts offering jobs, CURIUM building networks of fictitious profiles posing as attractive contacts, Scattered Spider creating matching fake social media accounts to support identity theft, and EXOTIC LILY mimicking target company employees to gain trust before delivering malware.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.001 Social Media Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/001/
YARA-L Detection Query
rule t1585_001_social_media_persona_email_lure {
meta:
author = "Detection Engineering"
description = "Detects inbound emails with social engineering job lure content and social media links, indicative of T1585.001 fake persona pre-attack operations"
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1585.001"
severity = "MEDIUM"
priority = "MEDIUM"
created = "2025-01-01"
version = "1.0"
events:
$email.metadata.event_type = "EMAIL_TRANSACTION"
$email.network.email.is_inbound = true
(
re.regex($email.network.email.subject, `(?i)(job opportunity|career opportunity|employment offer|found your profile|connect with you|exclusive opportunity|remote position|we.?re hiring|job opening|open role|recruiter|talent acquisition|linkedin connection|exciting opportunity|came across your profile|work from home|contractor position|freelance project)`)
or
re.regex($email.network.email.full_html, `(?i)(job opportunity|career opportunity|employment offer|found your profile|connect with you|i saw your profile|your background|our team is looking|exclusive opportunity|recruiter|talent acquisition)`)
)
(
re.regex($email.network.http.referral_url, `(?i)(linkedin\.com|facebook\.com|twitter\.com|x\.com|instagram\.com|telegram\.org|t\.me|wa\.me|discord\.com|linktr\.ee)`)
or
re.regex($email.target.url, `(?i)(linkedin\.com|facebook\.com|twitter\.com|x\.com|instagram\.com|telegram\.org|t\.me|discord\.com|linktr\.ee)`)
)
not re.regex($email.network.email.from, `(?i)@yourcompany\.com$`)
condition:
$email
}Chronicle YARA-L 2.0 rule detecting T1585.001 social media persona abuse via inbound email lures. Matches emails from external senders containing job/recruiting social engineering language alongside embedded social media platform URLs or referral links. Covers fake LinkedIn, Telegram, and Discord persona-driven outreach.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate recruiters from third-party staffing agencies
- Automated job alert services (LinkedIn Jobs, Indeed) sending match emails
- Marketing platforms sending social media engagement prompts
- Internal HR newsletters containing social media links for company profiles
Other platforms for T1585.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Inbound Social Engineering Email with LinkedIn URL
Expected signal: EmailEvents: new record with SenderFromAddress='[email protected]', Subject containing 'job opportunity', Direction='Inbound'. EmailUrlInfo: record linking NetworkMessageId to 'linkedin.com/in/red-team-test-persona'. Microsoft Defender for Office 365 Safe Links may wrap the URL. Email gateway (Proofpoint/Mimecast/Cisco ESA) logs inbound message with external sender and social media URL.
- Test 2OSINT: Search for Fake Social Media Profiles Impersonating Company Employees
Expected signal: Browser history: outbound GET requests to google.com, linkedin.com, twitter.com search URLs from analyst workstation. Proxy logs: requests to search engines and social media platforms from analyst IP. No malicious telemetry expected — this is a defensive OSINT exercise.
- Test 3Test Email Display Name Spoofing Detection
Expected signal: EmailEvents: SenderFromAddress='[email protected]', SenderDisplayName='Jane Doe'. IdentityInfo join will match internal employee 'Jane Doe' with mismatched domain. Microsoft Defender for Office 365 anti-impersonation policy (if configured) will generate a ZapType action. Email gateway logs: From header mismatch between display name and envelope sender domain.
- Test 4Validate Social Media Profile Takedown Reporting Workflow
Expected signal: Outbound HTTP requests from analyst workstation to linkedin.com, twitter.com, facebook.com, telegram.org, web.archive.org. Proxy logs record the connection attempts. No malicious telemetry expected.
References (9)
- https://attack.mitre.org/techniques/T1585/001/
- https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
- http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
- https://blog.google/threat-analysis-group/exotic-lily-initial-access-broker/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity/
- https://unit42.paloaltonetworks.com/medusa-ransomware/
- https://www.clearskysec.com/siamesekitten/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1585.001/T1585.001.md
Unlock Pro Content
Get the full detection package for T1585.001 including response playbook, investigation guide, and atomic red team tests.