Detect Social Media Accounts in Elastic Security
Adversaries create and cultivate fake or impersonation social media accounts to build credible personas for use in targeting operations. These accounts may impersonate real employees, HR staff, recruiters, or industry contacts to establish trust before launching spearphishing, credential harvesting, or intelligence-gathering campaigns. Detection focuses on downstream observables: inbound social engineering emails referencing social media profiles, employees receiving suspicious connection or recruitment messages, and threat intelligence correlation identifying accounts impersonating your organization's staff. Real-world examples include HEXANE creating fake LinkedIn HR accounts offering jobs, CURIUM building networks of fictitious profiles posing as attractive contacts, Scattered Spider creating matching fake social media accounts to support identity theft, and EXOTIC LILY mimicking target company employees to gain trust before delivering malware.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.001 Social Media Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/001/
Elastic Detection Query
sequence by process.entity_id
[
network where event.category == "network" and
(
dns.question.name like~ "*linkedin.com" or
dns.question.name like~ "*facebook.com" or
dns.question.name like~ "*twitter.com" or
dns.question.name like~ "*x.com" or
dns.question.name like~ "*instagram.com" or
dns.question.name like~ "*telegram.org" or
dns.question.name like~ "*t.me" or
dns.question.name like~ "*discord.com" or
dns.question.name like~ "*linktr.ee"
)
]
with runs=1
// Alternatively, for email-based detection using process/file events:
// Search for email client processes accessing social media URLs in email body files
// Primary: Email log-based detection
any where event.dataset == "o365.audit" or event.dataset == "google_workspace.gmail"
| where event.action in ("MessageReceived", "message_received")
| where (
(
(destination like~ "*job opportunity*" or destination like~ "*career opportunity*"
or destination like~ "*found your profile*" or destination like~ "*connect with you*"
or destination like~ "*exclusive opportunity*" or destination like~ "*we are hiring*"
or destination like~ "*recruiter*" or destination like~ "*talent acquisition*")
)
and
(
(url.original like~ "*linkedin.com*" or url.original like~ "*facebook.com*"
or url.original like~ "*twitter.com*" or url.original like~ "*instagram.com*"
or url.original like~ "*telegram.org*" or url.original like~ "*discord.com*")
)
)Detects inbound emails containing social engineering keywords (job offers, recruiter outreach) combined with social media profile links. Targets T1585.001 where adversaries use fake social media personas to initiate contact via email. Covers O365 and Google Workspace audit logs as well as DNS-level social media resolution chains.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate HR or recruiting teams sending job postings to candidates
- Internal talent acquisition emails referencing LinkedIn profiles for open roles
- Newsletter or marketing emails containing social media follow links
- Sales outreach from known vendors using social proof links
Other platforms for T1585.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Inbound Social Engineering Email with LinkedIn URL
Expected signal: EmailEvents: new record with SenderFromAddress='[email protected]', Subject containing 'job opportunity', Direction='Inbound'. EmailUrlInfo: record linking NetworkMessageId to 'linkedin.com/in/red-team-test-persona'. Microsoft Defender for Office 365 Safe Links may wrap the URL. Email gateway (Proofpoint/Mimecast/Cisco ESA) logs inbound message with external sender and social media URL.
- Test 2OSINT: Search for Fake Social Media Profiles Impersonating Company Employees
Expected signal: Browser history: outbound GET requests to google.com, linkedin.com, twitter.com search URLs from analyst workstation. Proxy logs: requests to search engines and social media platforms from analyst IP. No malicious telemetry expected — this is a defensive OSINT exercise.
- Test 3Test Email Display Name Spoofing Detection
Expected signal: EmailEvents: SenderFromAddress='[email protected]', SenderDisplayName='Jane Doe'. IdentityInfo join will match internal employee 'Jane Doe' with mismatched domain. Microsoft Defender for Office 365 anti-impersonation policy (if configured) will generate a ZapType action. Email gateway logs: From header mismatch between display name and envelope sender domain.
- Test 4Validate Social Media Profile Takedown Reporting Workflow
Expected signal: Outbound HTTP requests from analyst workstation to linkedin.com, twitter.com, facebook.com, telegram.org, web.archive.org. Proxy logs record the connection attempts. No malicious telemetry expected.
References (9)
- https://attack.mitre.org/techniques/T1585/001/
- https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
- http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
- https://blog.google/threat-analysis-group/exotic-lily-initial-access-broker/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity/
- https://unit42.paloaltonetworks.com/medusa-ransomware/
- https://www.clearskysec.com/siamesekitten/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1585.001/T1585.001.md
Unlock Pro Content
Get the full detection package for T1585.001 including response playbook, investigation guide, and atomic red team tests.